dcsimg

Adding Workstations to a Windows 2000 Domain

By ServerWatch Staff (Send Email)
Posted Nov 5, 2001


by Marcin Policht

Installation of new workstations in a Windows NT 4.0 domain requires level of privileges sufficient for creating new computer accounts in the domain controller's Security Account Manager database. This right is granted by default to the Domain Admins which membership, in most cases, is carefully guarded. In order to allow support groups responsible for new installations to be able to perform their tasks, the "Add workstations to domain" user right is typically used.

Marcin Policht's latest article addresses several workarounds for an Active Directory issue in Windows 2000 that limits the installation of new workstations in a domain.

If you follow the same approach after you migrate your domain controllers to Windows 2000, you might be in for a surprise. Your setup will initially work, but fairly quickly during the process of creating new computer accounts in Active Directory, you will receive the following message:

"Your computer could not be joined to the domain. You have exceeded the
maximum number of computer accounts you are allowed to create in this domain.
Contact your system administrator to have this limit reset or increased."
This behavior is intentional. Since the method based on the "Add workstations to the domain" user right bypasses checks against Access Control List, Microsoft decided that Active Directory provides a far better mechanism from the perspective of security. The old functionality is still preserved, but seriously limited -- namely it allows only for adding the first 10 computer accounts based on the "Add workstation to the domain" user right. Windows 2000 recommended procedures are documented in Microsoft Knowledge Base article Q251335. In short:

  1. New computer accounts can be pre-created (using Active Directory Users and Computers tool). 
  2. The creation of new accounts can be controlled by assigning permissions on containers storing computer accounts. These permissions can be set on a specific Organizational Unit or the default Computers container. Keep in mind, however, that in the first case, you will have to use a tool such as NetDom in order to join a workstation to its target domain. 
  3. Finally, the artificially imposed limit of 10 computers per non-administrative account can be changed. This involves modifying one of Active Directory attributes.

There are several ways of accomplishing the goal using the third method. The KB article lists two:

  • The first involves using the LDAP tool, which is part of the Windows 2000 Resource Kit (you can find it on the Windows 2000 installation CD in the Support folder). 
  • The second uses scripting with ADSI for modification of the Active Directory ms-DS-MachineAccountQuota attribute, used by samDomain and domainDNS classes. Its value controls the number of new workstation accounts that can be added to a domain. Here is a sample script:

Option Explicit
On Error Resume Next

Dim adsRootDSE, strDomainDNS, objDomainDNS, strADsPath, intQuota

Set adsRootDSE = GetObject("LDAP://rootDSE")
strDomainDNS = adsRootDSE.Get("defaultNamingContext")

strADsPath = "LDAP://" & strDomainDNS
Set objDomainDNS = GetObject(strADsPath)

intQuota = objDomainDNS.Get("ms-DS-MachineAccountQuota")

WScript.Echo "Current value of " & Chr(34) & "Add Workstations  to Domain"  & _
Chr(34)  & " limit: " &  intQuota

intQuota = InputBox("Enter new  limit", "New Quota Limit", intQuota)

If intQuota <> ""  AND (IsNumeric(intQuota) and Abs(CInt(intQuota)) <>  10) Then

	objDomainDNS.Put "ms-DS-MachineAccountQuota", Abs(CInt(intQuota))
	objDomainDNS.SetInfo

	If Err.Number = 0 Then
		WScript.Echo "New value of " & Chr(34) &
		"Add Workstations to Domain" & Chr(34) &
		" limit: " & intQuota
	Else
		WScript.Echo "Problem changing the quota limit: " & Err.Description
	End If

End If

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.