adding computer accounts to AD

[JohnC]

Authenticated users are allowed to add 10 computer
accounts to the domain by default. Is is possible to allow
a particular user or a group to create a specific number
of computer accounts to the domain (for example 20
accounts instead of 10)?

Thank you.

 

[Herb Martin]

A lot of people don't even know about the 10 account
rule -- I have never heard of any way to set this but to
turn it off/on, or give the user the right to make unlimited
accounts (delegate OU permissions or "create computer
account" right like the Account Operators have.)

 

[Matjaz Ladava [MVP]]

Hi Herb. You can change this default value to some value other than 10. You
must set ms-DS-MachineAccountQuota attribute. You can do this using
ADSIedit, by going into domain properties and there locate
ms-DS-MachineAccountQuota attribute. Change it to any value you like.
And the QArticle would be http://support.microsoft.com/?kbid=251335

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[Robbie Allen]

Hi John,

Besides the machine account quota, the only way to restrict the number of
objects a particular user or group can create is to use the new quota
feature in Windows Server 2003. But that applies to all object types--it
wouldn't be specific to only computers. With Windows 2000, you don't have
many options.

Regards,
Robbie Allen
Author of "Active Directory Cookbook" (O'Reilly and Associates)
http://www.rallenhome.com/