ConfigManager OSD : Joining machines to a domain and its security

October 20, 2008 at 5:51 pm in ConfigMgr, ConfigMgr 2007, sccm, SCCM 2007 by Kenny Buntinx [MVP]

Today , I was at a customer and I was struggling to get a task sequence up and running . After analyzing the log files , I discovered that it had trouble to join the domain.I say to myself , that is strange , I never had any trouble with it before.

Looking up the account for joining the domain , we assigned it with special rights to just be able to add or modify computer objects in a certain container .Security for everything right :-)

Looking some deeper I discovered that the account was over the limit of joining / disjoining the domain . Only Domain admins are allowed to go over that limit .

Most of you know the limit of 10 times authenticated users can join machines to a domain. Upping the limit, or removing it is a very simple thing to do, however everytime someone asks me, I have to go back to look it up again. 

How to fix this issue :

The Active Directory attribute you need to change is mS-DS-MachineAccountQuota which is a property of the domain object. Here’s the steps to change it:

– Start ADSI Edit (start/run/adsiedit.msc)
– Expand out the Domain node, right click on DC=<yourdomain>,DC=com and select properties
– Scan down to ms-DS-MachineAccountQuota
– Modify the value as appropriate, or clear the value to remove the limit entirely.


After this I still got an access denied when I tried to join the domain with my special account , but the difference was that the computerobject already existed in AD . My special account only had the right to Create / Delete objects to the corresponding Organizational Unit .

So to be able to let this account also modify existing computer objects in AD on the specific container , I needed to do the following steps below :

Grant additional permissions to the account that you are using:

1. Start Adsiedit.msc.
2. Open the Domain NC, DC=domain, OU=your Organizational Unit node.
3. Click your Organizational Unit, and then click Properties.
4. On the Security tab, click Advanced.
5. Click Add, and then click the appropriate user account or group.
6. In the Apply onto box, click Computer Objects.
7. In the Permissions pane, click to select the Write All Properties, the Reset Password.
8. Click OK until the change is made.
9. Wait for Active Directory replication to occur, or force synchronization to occur.


Hope it helps ,


Kenny Buntinx

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInPin on Pinterest