In this article, you are going to learn how to prevent your users from joining your domain on their own,
We are going to block it, but before that, it’s important to know that by default, each user which is a member of the authenticated group can add a maximum of 10 computers to join with his permission.
Not many people know that.
I am pretty confident that after some of you read this article you will apply this policy on your environment.
We have to perform these steps through ADSI. Edit, we need to change specific attribute called ” ms-DS-MachineAccountQuota value”, the default value of this value is 10.
How can we change it?
Open Domain Controller with a user that member of domain admin
Open ADSI. edit
After they connect to default naming context
Expand “Default naming Context” and DC as well and then right click and properties:
Find “ms-DS-MachineAccountQuota” attribute and double-click on it:
Change the value to 0:
And the last action you have to do is replicate now (Repadmin, Active Directory Sites and Services} or from or just wait for next replication