You Have Exceeded the Maximum Number of Computer Accounts

Discussion in 'Windows Server' started by Charles, Oct 7, 2004.

  1. Charles

    Charles Guest

    The MSKB article 314462 discusses the problem: "You Have
    Exceeded the Maximum Number of Computer Accounts" Error
    Message When You Try to Join a Windows XP Computer to a
    Windows 2000 Domain.

    However, there are many unanswered questions.

    1. It appears as though by default anyone/everyone in
    the "Authenticted Users" group can add up to ten machines
    to the domain. Why would I ever want non-admins to be
    able to join computers to the domain?

    2. If I modify the default value of 10 and set the value
    to 0, would that have any implications to our domain
    admins?

    3. I have created an OU within Active Directory and
    delegated responsibility to it. For this one OU (and
    only this one OU) I want a non domain admin to be able to
    add as many computers to the domain as required. How can
    I achieve that in respect to the MSKB 314462?

    Thanks in advance for any suggestions or feedback
     
    Charles, Oct 7, 2004
    #1
    1. Advertising

  2. Charles

    Charles Guest

    What post?
    >-----Original Message-----
    >See this previous post:
    >
    >
    >
    >--
    >Ryan Sokolowski
    >MCSE, CCNA, CCDA, BCFP
    >Microsoft Enterprise Engineering Center
    >
    >This posting is provided "AS IS" with no warranties, and

    confers no rights.
    >
    >"Charles" <> wrote in

    message
    >news:028b01c4acb5$6cfa5660$...
    >> The MSKB article 314462 discusses the problem: "You

    Have
    >> Exceeded the Maximum Number of Computer Accounts" Error
    >> Message When You Try to Join a Windows XP Computer to a
    >> Windows 2000 Domain.
    >>
    >> However, there are many unanswered questions.
    >>
    >> 1. It appears as though by default anyone/everyone in
    >> the "Authenticted Users" group can add up to ten

    machines
    >> to the domain. Why would I ever want non-admins to be
    >> able to join computers to the domain?
    >>
    >> 2. If I modify the default value of 10 and set the

    value
    >> to 0, would that have any implications to our domain
    >> admins?
    >>
    >> 3. I have created an OU within Active Directory and
    >> delegated responsibility to it. For this one OU (and
    >> only this one OU) I want a non domain admin to be able

    to
    >> add as many computers to the domain as required. How

    can
    >> I achieve that in respect to the MSKB 314462?
    >>
    >> Thanks in advance for any suggestions or feedback
    >>

    >
    >
    >
     
    Charles, Oct 7, 2004
    #2
    1. Advertising

  3. My mistake...I tried to attach the post. Here is the text of my previous
    post...



    You'll want to grant them the right to Add a workstation to a domain.

    In Group Policy, run through the Delegation of Control wizard:

    Select your group or users (always put your users in a group and assign
    rights to the group)

    Select "Create a custom task to delegate"

    Choose "only the following objects in the folder"

    Select "Computer objects" and check both boxes below: " Create ..." and
    "Delete..."

    Choose "Full Control" in the next window and you should be set!

    I hope this works for you...


    --
    Ryan Sokolowski
    MCSE, CCNA, CCDA, BCFP
    Microsoft Enterprise Engineering Center

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Charles" <> wrote in message
    news:02f401c4acbb$df8d2e90$...
    > What post?
    > >-----Original Message-----
    > >See this previous post:
    > >
    > >
    > >
    > >--
    > >Ryan Sokolowski
    > >MCSE, CCNA, CCDA, BCFP
    > >Microsoft Enterprise Engineering Center
    > >
    > >This posting is provided "AS IS" with no warranties, and

    > confers no rights.
    > >
    > >"Charles" <> wrote in

    > message
    > >news:028b01c4acb5$6cfa5660$...
    > >> The MSKB article 314462 discusses the problem: "You

    > Have
    > >> Exceeded the Maximum Number of Computer Accounts" Error
    > >> Message When You Try to Join a Windows XP Computer to a
    > >> Windows 2000 Domain.
    > >>
    > >> However, there are many unanswered questions.
    > >>
    > >> 1. It appears as though by default anyone/everyone in
    > >> the "Authenticted Users" group can add up to ten

    > machines
    > >> to the domain. Why would I ever want non-admins to be
    > >> able to join computers to the domain?
    > >>
    > >> 2. If I modify the default value of 10 and set the

    > value
    > >> to 0, would that have any implications to our domain
    > >> admins?
    > >>
    > >> 3. I have created an OU within Active Directory and
    > >> delegated responsibility to it. For this one OU (and
    > >> only this one OU) I want a non domain admin to be able

    > to
    > >> add as many computers to the domain as required. How

    > can
    > >> I achieve that in respect to the MSKB 314462?
    > >>
    > >> Thanks in advance for any suggestions or feedback
    > >>

    > >
    > >
    > >
     
    Ryan Sokolowski [Microsoft], Oct 8, 2004
    #3
  4. Charles

    Miha Pihler Guest

    Charles,

    By giving users domain account you express your trust in them. If users can
    add their computer to domain, this doesn't give them any more permissions
    then they have before, it just makes their work easier.

    In Windows 2003 (and I think there are some workarounds on Windows 2000) you
    can redirect where computer and user accounts are created when they are
    added to domain. E.g. instead of Computer container or User container these
    accounts are created in e.g. New Computers OU. Since now new objects are
    created in OU, you can immediately apply group policy to it (e.g. SUS GP,
    access to internet limitations, AV installation, etc, etc, etc, ...). So you
    can really lock down any PC that is added to domain...

    If you decide to change value of 10 to value of 0, this will not affect
    administrators in any way (they will still be able to add as many computers
    to domain as needed as long as they have administrator privileges)...

    Mike

    "Charles" <> wrote in message
    news:028b01c4acb5$6cfa5660$...
    > The MSKB article 314462 discusses the problem: "You Have
    > Exceeded the Maximum Number of Computer Accounts" Error
    > Message When You Try to Join a Windows XP Computer to a
    > Windows 2000 Domain.
    >
    > However, there are many unanswered questions.
    >
    > 1. It appears as though by default anyone/everyone in
    > the "Authenticted Users" group can add up to ten machines
    > to the domain. Why would I ever want non-admins to be
    > able to join computers to the domain?
    >
    > 2. If I modify the default value of 10 and set the value
    > to 0, would that have any implications to our domain
    > admins?
    >
    > 3. I have created an OU within Active Directory and
    > delegated responsibility to it. For this one OU (and
    > only this one OU) I want a non domain admin to be able to
    > add as many computers to the domain as required. How can
    > I achieve that in respect to the MSKB 314462?
    >
    > Thanks in advance for any suggestions or feedback
    >
     
    Miha Pihler, Oct 8, 2004
    #4
  5. Charles

    Charles Guest

    Mike,

    Thanks for the reply.

    We have a computer naming standard on our network. One
    concern I have about standard "domain users" adding
    machine accounts to the domain is that they (users)
    rarely adhere to the naming convention and the Help Desk
    is constantly tracking down PCs with inappropriate
    computer names and having to rename them (to meet the
    standard).

    Anyway, thanks for the informative reply.
    >-----Original Message-----
    >Charles,
    >
    >By giving users domain account you express your trust in

    them. If users can
    >add their computer to domain, this doesn't give them any

    more permissions
    >then they have before, it just makes their work easier.
    >
    >In Windows 2003 (and I think there are some workarounds

    on Windows 2000) you
    >can redirect where computer and user accounts are

    created when they are
    >added to domain. E.g. instead of Computer container or

    User container these
    >accounts are created in e.g. New Computers OU. Since now

    new objects are
    >created in OU, you can immediately apply group policy to

    it (e.g. SUS GP,
    >access to internet limitations, AV installation, etc,

    etc, etc, ...). So you
    >can really lock down any PC that is added to domain...
    >
    >If you decide to change value of 10 to value of 0, this

    will not affect
    >administrators in any way (they will still be able to

    add as many computers
    >to domain as needed as long as they have administrator

    privileges)...
    >
    >Mike
    >
    >"Charles" <> wrote in

    message
    >news:028b01c4acb5$6cfa5660$...
    >> The MSKB article 314462 discusses the problem: "You

    Have
    >> Exceeded the Maximum Number of Computer Accounts" Error
    >> Message When You Try to Join a Windows XP Computer to a
    >> Windows 2000 Domain.
    >>
    >> However, there are many unanswered questions.
    >>
    >> 1. It appears as though by default anyone/everyone in
    >> the "Authenticted Users" group can add up to ten

    machines
    >> to the domain. Why would I ever want non-admins to be
    >> able to join computers to the domain?
    >>
    >> 2. If I modify the default value of 10 and set the

    value
    >> to 0, would that have any implications to our domain
    >> admins?
    >>
    >> 3. I have created an OU within Active Directory and
    >> delegated responsibility to it. For this one OU (and
    >> only this one OU) I want a non domain admin to be able

    to
    >> add as many computers to the domain as required. How

    can
    >> I achieve that in respect to the MSKB 314462?
    >>
    >> Thanks in advance for any suggestions or feedback
    >>

    >
    >
    >.
    >
     
    Charles, Oct 8, 2004
    #5
  6. Charles

    Tomski Guest

    Miha,

    Sorry to hi-jack the thread, but do you happen to know the workaround for
    Windows 2000 and new computer creation?

    We have problems here where people create new computers and release them
    onto our network without telling us. It usually involves chasing a lot people
    about it, but if I could design a restrictive policy that gets applied I'm
    sure they'd come to me!

    We will be upgrading to Windows 2003 infrastructure eventually, but we have
    a few other projects in the pipeline before then.

    Thanks in advance,

    Matt.



    "Miha Pihler" wrote:
    > In Windows 2003 (and I think there are some workarounds on Windows 2000) you
    > can redirect where computer and user accounts are created when they are
    > added to domain. E.g. instead of Computer container or User container these
    > accounts are created in e.g. New Computers OU. Since now new objects are
    > created in OU, you can immediately apply group policy to it (e.g. SUS GP,
    > access to internet limitations, AV installation, etc, etc, etc, ...). So you
    > can really lock down any PC that is added to domain...
     
    Tomski, Jan 21, 2005
    #6
  7. Charles

    Bob Hollness Guest

    unless you have sufficient rights on AD, you cannot add a computer to the
    domain. Remove the rights from these people, this will stop them from doing
    it immediately.
    --

    Bob

    --------------------------------------
    I'll have a B please Bob.

    "Tomski" <> wrote in message
    news:...
    > Miha,
    >
    > Sorry to hi-jack the thread, but do you happen to know the workaround for
    > Windows 2000 and new computer creation?
    >
    > We have problems here where people create new computers and release them
    > onto our network without telling us. It usually involves chasing a lot
    > people
    > about it, but if I could design a restrictive policy that gets applied I'm
    > sure they'd come to me!
    >
    > We will be upgrading to Windows 2003 infrastructure eventually, but we
    > have
    > a few other projects in the pipeline before then.
    >
    > Thanks in advance,
    >
    > Matt.
    >
    >
    >
    > "Miha Pihler" wrote:
    >> In Windows 2003 (and I think there are some workarounds on Windows 2000)
    >> you
    >> can redirect where computer and user accounts are created when they are
    >> added to domain. E.g. instead of Computer container or User container
    >> these
    >> accounts are created in e.g. New Computers OU. Since now new objects are
    >> created in OU, you can immediately apply group policy to it (e.g. SUS GP,
    >> access to internet limitations, AV installation, etc, etc, etc, ...). So
    >> you
    >> can really lock down any PC that is added to domain...

    >
     
    Bob Hollness, Jan 21, 2005
    #7
  8. Charles

    Todd J Heron Guest

    By default, Authenticated Users in a domain are assigned the Add
    workstations to a domain user right and can create up to 10 computer
    accounts in the domain. You can configure this security setting by opening
    the appropriate policy and expanding the console tree as such: Computer
    Configuration\Windows Settings\Security Settings\Local Policies\User Rights
    Assignment\

    http://www.microsoft.com/resources/...dowsserv/2003/standard/proddocs/en-us/526.asp

    --
    Todd J Heron, MCSE
    Windows Server 2003/2000/NT
    ----------------------------------------------------------------------------
    This posting is provided "as is" with no warranties and confers no rights
     
    Todd J Heron, Jan 21, 2005
    #8
  9. Charles

    Tomski Guest

    Sorry I don't think I made my previous post clear...

    We want these users to be able to add computers to the domain (IT Support -
    restricted for everyone else) but we want the machines to have policies
    applied immediately. Miha Pihler wrote:

    "In Windows 2003 (and I think there are some workarounds on Windows 2000)
    you can redirect where computer and user accounts are created when they are
    added to domain"

    This 'workaround' was what I was interested in.

    Thanks for the timely responses.

    "Bob Hollness" wrote:

    > unless you have sufficient rights on AD, you cannot add a computer to the
    > domain. Remove the rights from these people, this will stop them from doing
    > it immediately.
    > --
    >
    > Bob
    >
    > --------------------------------------
    > I'll have a B please Bob.
    >
    > "Tomski" <> wrote in message
    > news:...
    > > Miha,
    > >
    > > Sorry to hi-jack the thread, but do you happen to know the workaround for
    > > Windows 2000 and new computer creation?
    > >
    > > We have problems here where people create new computers and release them
    > > onto our network without telling us. It usually involves chasing a lot
    > > people
    > > about it, but if I could design a restrictive policy that gets applied I'm
    > > sure they'd come to me!
    > >
    > > We will be upgrading to Windows 2003 infrastructure eventually, but we
    > > have
    > > a few other projects in the pipeline before then.
    > >
    > > Thanks in advance,
    > >
    > > Matt.
    > >
    > >
    > >
    > > "Miha Pihler" wrote:
    > >> In Windows 2003 (and I think there are some workarounds on Windows 2000)
    > >> you
    > >> can redirect where computer and user accounts are created when they are
    > >> added to domain. E.g. instead of Computer container or User container
    > >> these
    > >> accounts are created in e.g. New Computers OU. Since now new objects are
    > >> created in OU, you can immediately apply group policy to it (e.g. SUS GP,
    > >> access to internet limitations, AV installation, etc, etc, etc, ...). So
    > >> you
    > >> can really lock down any PC that is added to domain...

    > >

    >
    >
    >
     
    Tomski, Jan 21, 2005
    #9
  10. Hi Bob,

    By default, any domain user can add (join) up to 10 computers to domain.

    --
    Mike
    Microsoft MVP - Windows Security

    "Bob Hollness" <> wrote in message
    news:eZGkkE6$...
    > unless you have sufficient rights on AD, you cannot add a computer to the
    > domain. Remove the rights from these people, this will stop them from
    > doing it immediately.
    > --
    >
    > Bob
    >
    > --------------------------------------
    > I'll have a B please Bob.
    >
    > "Tomski" <> wrote in message
    > news:...
    >> Miha,
    >>
    >> Sorry to hi-jack the thread, but do you happen to know the workaround for
    >> Windows 2000 and new computer creation?
    >>
    >> We have problems here where people create new computers and release them
    >> onto our network without telling us. It usually involves chasing a lot
    >> people
    >> about it, but if I could design a restrictive policy that gets applied
    >> I'm
    >> sure they'd come to me!
    >>
    >> We will be upgrading to Windows 2003 infrastructure eventually, but we
    >> have
    >> a few other projects in the pipeline before then.
    >>
    >> Thanks in advance,
    >>
    >> Matt.
    >>
    >>
    >>
    >> "Miha Pihler" wrote:
    >>> In Windows 2003 (and I think there are some workarounds on Windows 2000)
    >>> you
    >>> can redirect where computer and user accounts are created when they are
    >>> added to domain. E.g. instead of Computer container or User container
    >>> these
    >>> accounts are created in e.g. New Computers OU. Since now new objects are
    >>> created in OU, you can immediately apply group policy to it (e.g. SUS
    >>> GP,
    >>> access to internet limitations, AV installation, etc, etc, etc, ...). So
    >>> you
    >>> can really lock down any PC that is added to domain...

    >>

    >
    >
     
    Miha Pihler [MVP], Jan 21, 2005
    #10
  11. Hi,

    The way I like to prevent users adding computers to domain is described in
    this article:

    Domain Users Cannot Join Workstation or Server to a Domain
    http://support.microsoft.com/kb/251335/EN-US/

    I usually use method 3, but instead of raising the number of computers I set
    it to 0.

    I hope this helps.

    --
    Mike
    Microsoft MVP - Windows Security

    "Tomski" <> wrote in message
    news:...
    > Miha,
    >
    > Sorry to hi-jack the thread, but do you happen to know the workaround for
    > Windows 2000 and new computer creation?
    >
    > We have problems here where people create new computers and release them
    > onto our network without telling us. It usually involves chasing a lot
    > people
    > about it, but if I could design a restrictive policy that gets applied I'm
    > sure they'd come to me!
    >
    > We will be upgrading to Windows 2003 infrastructure eventually, but we
    > have
    > a few other projects in the pipeline before then.
    >
    > Thanks in advance,
    >
    > Matt.
    >
    >
    >
    > "Miha Pihler" wrote:
    >> In Windows 2003 (and I think there are some workarounds on Windows 2000)
    >> you
    >> can redirect where computer and user accounts are created when they are
    >> added to domain. E.g. instead of Computer container or User container
    >> these
    >> accounts are created in e.g. New Computers OU. Since now new objects are
    >> created in OU, you can immediately apply group policy to it (e.g. SUS GP,
    >> access to internet limitations, AV installation, etc, etc, etc, ...). So
    >> you
    >> can really lock down any PC that is added to domain...

    >
     
    Miha Pihler [MVP], Jan 21, 2005
    #11
  12. Charles

    Bob Hollness Guest

    The policies are only applied if the computer is added/moved to the correct
    OU. However, you could set the policies at the root of your domain. Then
    when added and rebooted, the policies apply immediately.

    Regarding redirection, that I do not know.

    --

    Bob

    --------------------------------------
    I'll have a B please Bob.

    "Tomski" <> wrote in message
    news:...
    > Sorry I don't think I made my previous post clear...
    >
    > We want these users to be able to add computers to the domain (IT
    > Support -
    > restricted for everyone else) but we want the machines to have policies
    > applied immediately. Miha Pihler wrote:
    >
    > "In Windows 2003 (and I think there are some workarounds on Windows 2000)
    > you can redirect where computer and user accounts are created when they
    > are
    > added to domain"
    >
    > This 'workaround' was what I was interested in.
    >
    > Thanks for the timely responses.
    >
    > "Bob Hollness" wrote:
    >
    >> unless you have sufficient rights on AD, you cannot add a computer to the
    >> domain. Remove the rights from these people, this will stop them from
    >> doing
    >> it immediately.
    >> --
    >>
    >> Bob
    >>
    >> --------------------------------------
    >> I'll have a B please Bob.
    >>
    >> "Tomski" <> wrote in message
    >> news:...
    >> > Miha,
    >> >
    >> > Sorry to hi-jack the thread, but do you happen to know the workaround
    >> > for
    >> > Windows 2000 and new computer creation?
    >> >
    >> > We have problems here where people create new computers and release
    >> > them
    >> > onto our network without telling us. It usually involves chasing a lot
    >> > people
    >> > about it, but if I could design a restrictive policy that gets applied
    >> > I'm
    >> > sure they'd come to me!
    >> >
    >> > We will be upgrading to Windows 2003 infrastructure eventually, but we
    >> > have
    >> > a few other projects in the pipeline before then.
    >> >
    >> > Thanks in advance,
    >> >
    >> > Matt.
    >> >
    >> >
    >> >
    >> > "Miha Pihler" wrote:
    >> >> In Windows 2003 (and I think there are some workarounds on Windows
    >> >> 2000)
    >> >> you
    >> >> can redirect where computer and user accounts are created when they
    >> >> are
    >> >> added to domain. E.g. instead of Computer container or User container
    >> >> these
    >> >> accounts are created in e.g. New Computers OU. Since now new objects
    >> >> are
    >> >> created in OU, you can immediately apply group policy to it (e.g. SUS
    >> >> GP,
    >> >> access to internet limitations, AV installation, etc, etc, etc, ...).
    >> >> So
    >> >> you
    >> >> can really lock down any PC that is added to domain...
    >> >

    >>
    >>
    >>
     
    Bob Hollness, Jan 21, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. aloha
    Replies:
    7
    Views:
    547
    Steve
    Sep 12, 2008
  2. Sonia
    Replies:
    2
    Views:
    559
    Frank Brown [MSFT]
    Aug 23, 2004
  3. Larry Struckmeyer [SBS-MVP]

    Re: "The terminal server has exceeded the maximum number of allowable connections"

    Larry Struckmeyer [SBS-MVP], Apr 13, 2009, in forum: Windows Small Business Server
    Replies:
    0
    Views:
    451
    Larry Struckmeyer [SBS-MVP]
    Apr 13, 2009
  4. Mathieu CHATEAU
    Replies:
    0
    Views:
    1,144
    Mathieu CHATEAU
    Sep 28, 2007
  5. ali kemal
    Replies:
    6
    Views:
    444
    Mathieu CHATEAU
    Oct 2, 2007
Loading...

Share This Page