Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > You Have Exceeded the Maximum Number of Computer Accounts

Reply
Thread Tools Display Modes

You Have Exceeded the Maximum Number of Computer Accounts

 
 
Charles
Guest
Posts: n/a

 
      10-07-2004
The MSKB article 314462 discusses the problem: "You Have
Exceeded the Maximum Number of Computer Accounts" Error
Message When You Try to Join a Windows XP Computer to a
Windows 2000 Domain.

However, there are many unanswered questions.

1. It appears as though by default anyone/everyone in
the "Authenticted Users" group can add up to ten machines
to the domain. Why would I ever want non-admins to be
able to join computers to the domain?

2. If I modify the default value of 10 and set the value
to 0, would that have any implications to our domain
admins?

3. I have created an OU within Active Directory and
delegated responsibility to it. For this one OU (and
only this one OU) I want a non domain admin to be able to
add as many computers to the domain as required. How can
I achieve that in respect to the MSKB 314462?

Thanks in advance for any suggestions or feedback

 
Reply With Quote
 
 
 
 
Charles
Guest
Posts: n/a

 
      10-07-2004
What post?
>-----Original Message-----
>See this previous post:
>
>
>
>--
>Ryan Sokolowski
>MCSE, CCNA, CCDA, BCFP
>Microsoft Enterprise Engineering Center
>
>This posting is provided "AS IS" with no warranties, and

confers no rights.
>
>"Charles" <> wrote in

message
>news:028b01c4acb5$6cfa5660$...
>> The MSKB article 314462 discusses the problem: "You

Have
>> Exceeded the Maximum Number of Computer Accounts" Error
>> Message When You Try to Join a Windows XP Computer to a
>> Windows 2000 Domain.
>>
>> However, there are many unanswered questions.
>>
>> 1. It appears as though by default anyone/everyone in
>> the "Authenticted Users" group can add up to ten

machines
>> to the domain. Why would I ever want non-admins to be
>> able to join computers to the domain?
>>
>> 2. If I modify the default value of 10 and set the

value
>> to 0, would that have any implications to our domain
>> admins?
>>
>> 3. I have created an OU within Active Directory and
>> delegated responsibility to it. For this one OU (and
>> only this one OU) I want a non domain admin to be able

to
>> add as many computers to the domain as required. How

can
>> I achieve that in respect to the MSKB 314462?
>>
>> Thanks in advance for any suggestions or feedback
>>

>
>
>

 
Reply With Quote
 
 
 
 
Ryan Sokolowski [Microsoft]
Guest
Posts: n/a

 
      10-07-2004
My mistake...I tried to attach the post. Here is the text of my previous
post...



You'll want to grant them the right to Add a workstation to a domain.

In Group Policy, run through the Delegation of Control wizard:

Select your group or users (always put your users in a group and assign
rights to the group)

Select "Create a custom task to delegate"

Choose "only the following objects in the folder"

Select "Computer objects" and check both boxes below: " Create ..." and
"Delete..."

Choose "Full Control" in the next window and you should be set!

I hope this works for you...


--
Ryan Sokolowski
MCSE, CCNA, CCDA, BCFP
Microsoft Enterprise Engineering Center

This posting is provided "AS IS" with no warranties, and confers no rights.

"Charles" <> wrote in message
news:02f401c4acbb$df8d2e90$...
> What post?
> >-----Original Message-----
> >See this previous post:
> >
> >
> >
> >--
> >Ryan Sokolowski
> >MCSE, CCNA, CCDA, BCFP
> >Microsoft Enterprise Engineering Center
> >
> >This posting is provided "AS IS" with no warranties, and

> confers no rights.
> >
> >"Charles" <> wrote in

> message
> >news:028b01c4acb5$6cfa5660$...
> >> The MSKB article 314462 discusses the problem: "You

> Have
> >> Exceeded the Maximum Number of Computer Accounts" Error
> >> Message When You Try to Join a Windows XP Computer to a
> >> Windows 2000 Domain.
> >>
> >> However, there are many unanswered questions.
> >>
> >> 1. It appears as though by default anyone/everyone in
> >> the "Authenticted Users" group can add up to ten

> machines
> >> to the domain. Why would I ever want non-admins to be
> >> able to join computers to the domain?
> >>
> >> 2. If I modify the default value of 10 and set the

> value
> >> to 0, would that have any implications to our domain
> >> admins?
> >>
> >> 3. I have created an OU within Active Directory and
> >> delegated responsibility to it. For this one OU (and
> >> only this one OU) I want a non domain admin to be able

> to
> >> add as many computers to the domain as required. How

> can
> >> I achieve that in respect to the MSKB 314462?
> >>
> >> Thanks in advance for any suggestions or feedback
> >>

> >
> >
> >



 
Reply With Quote
 
Miha Pihler
Guest
Posts: n/a

 
      10-08-2004
Charles,

By giving users domain account you express your trust in them. If users can
add their computer to domain, this doesn't give them any more permissions
then they have before, it just makes their work easier.

In Windows 2003 (and I think there are some workarounds on Windows 2000) you
can redirect where computer and user accounts are created when they are
added to domain. E.g. instead of Computer container or User container these
accounts are created in e.g. New Computers OU. Since now new objects are
created in OU, you can immediately apply group policy to it (e.g. SUS GP,
access to internet limitations, AV installation, etc, etc, etc, ...). So you
can really lock down any PC that is added to domain...

If you decide to change value of 10 to value of 0, this will not affect
administrators in any way (they will still be able to add as many computers
to domain as needed as long as they have administrator privileges)...

Mike

"Charles" <> wrote in message
news:028b01c4acb5$6cfa5660$...
> The MSKB article 314462 discusses the problem: "You Have
> Exceeded the Maximum Number of Computer Accounts" Error
> Message When You Try to Join a Windows XP Computer to a
> Windows 2000 Domain.
>
> However, there are many unanswered questions.
>
> 1. It appears as though by default anyone/everyone in
> the "Authenticted Users" group can add up to ten machines
> to the domain. Why would I ever want non-admins to be
> able to join computers to the domain?
>
> 2. If I modify the default value of 10 and set the value
> to 0, would that have any implications to our domain
> admins?
>
> 3. I have created an OU within Active Directory and
> delegated responsibility to it. For this one OU (and
> only this one OU) I want a non domain admin to be able to
> add as many computers to the domain as required. How can
> I achieve that in respect to the MSKB 314462?
>
> Thanks in advance for any suggestions or feedback
>



 
Reply With Quote
 
Charles
Guest
Posts: n/a

 
      10-08-2004
Mike,

Thanks for the reply.

We have a computer naming standard on our network. One
concern I have about standard "domain users" adding
machine accounts to the domain is that they (users)
rarely adhere to the naming convention and the Help Desk
is constantly tracking down PCs with inappropriate
computer names and having to rename them (to meet the
standard).

Anyway, thanks for the informative reply.
>-----Original Message-----
>Charles,
>
>By giving users domain account you express your trust in

them. If users can
>add their computer to domain, this doesn't give them any

more permissions
>then they have before, it just makes their work easier.
>
>In Windows 2003 (and I think there are some workarounds

on Windows 2000) you
>can redirect where computer and user accounts are

created when they are
>added to domain. E.g. instead of Computer container or

User container these
>accounts are created in e.g. New Computers OU. Since now

new objects are
>created in OU, you can immediately apply group policy to

it (e.g. SUS GP,
>access to internet limitations, AV installation, etc,

etc, etc, ...). So you
>can really lock down any PC that is added to domain...
>
>If you decide to change value of 10 to value of 0, this

will not affect
>administrators in any way (they will still be able to

add as many computers
>to domain as needed as long as they have administrator

privileges)...
>
>Mike
>
>"Charles" <> wrote in

message
>news:028b01c4acb5$6cfa5660$...
>> The MSKB article 314462 discusses the problem: "You

Have
>> Exceeded the Maximum Number of Computer Accounts" Error
>> Message When You Try to Join a Windows XP Computer to a
>> Windows 2000 Domain.
>>
>> However, there are many unanswered questions.
>>
>> 1. It appears as though by default anyone/everyone in
>> the "Authenticted Users" group can add up to ten

machines
>> to the domain. Why would I ever want non-admins to be
>> able to join computers to the domain?
>>
>> 2. If I modify the default value of 10 and set the

value
>> to 0, would that have any implications to our domain
>> admins?
>>
>> 3. I have created an OU within Active Directory and
>> delegated responsibility to it. For this one OU (and
>> only this one OU) I want a non domain admin to be able

to
>> add as many computers to the domain as required. How

can
>> I achieve that in respect to the MSKB 314462?
>>
>> Thanks in advance for any suggestions or feedback
>>

>
>
>.
>

 
Reply With Quote
 
Tomski
Guest
Posts: n/a

 
      01-21-2005
Miha,

Sorry to hi-jack the thread, but do you happen to know the workaround for
Windows 2000 and new computer creation?

We have problems here where people create new computers and release them
onto our network without telling us. It usually involves chasing a lot people
about it, but if I could design a restrictive policy that gets applied I'm
sure they'd come to me!

We will be upgrading to Windows 2003 infrastructure eventually, but we have
a few other projects in the pipeline before then.

Thanks in advance,

Matt.



"Miha Pihler" wrote:
> In Windows 2003 (and I think there are some workarounds on Windows 2000) you
> can redirect where computer and user accounts are created when they are
> added to domain. E.g. instead of Computer container or User container these
> accounts are created in e.g. New Computers OU. Since now new objects are
> created in OU, you can immediately apply group policy to it (e.g. SUS GP,
> access to internet limitations, AV installation, etc, etc, etc, ...). So you
> can really lock down any PC that is added to domain...


 
Reply With Quote
 
Bob Hollness
Guest
Posts: n/a

 
      01-21-2005
unless you have sufficient rights on AD, you cannot add a computer to the
domain. Remove the rights from these people, this will stop them from doing
it immediately.
--

Bob

--------------------------------------
I'll have a B please Bob.

"Tomski" <> wrote in message
news:62F511AF-EA20-410A-A3BA-...
> Miha,
>
> Sorry to hi-jack the thread, but do you happen to know the workaround for
> Windows 2000 and new computer creation?
>
> We have problems here where people create new computers and release them
> onto our network without telling us. It usually involves chasing a lot
> people
> about it, but if I could design a restrictive policy that gets applied I'm
> sure they'd come to me!
>
> We will be upgrading to Windows 2003 infrastructure eventually, but we
> have
> a few other projects in the pipeline before then.
>
> Thanks in advance,
>
> Matt.
>
>
>
> "Miha Pihler" wrote:
>> In Windows 2003 (and I think there are some workarounds on Windows 2000)
>> you
>> can redirect where computer and user accounts are created when they are
>> added to domain. E.g. instead of Computer container or User container
>> these
>> accounts are created in e.g. New Computers OU. Since now new objects are
>> created in OU, you can immediately apply group policy to it (e.g. SUS GP,
>> access to internet limitations, AV installation, etc, etc, etc, ...). So
>> you
>> can really lock down any PC that is added to domain...

>



 
Reply With Quote
 
Todd J Heron
Guest
Posts: n/a

 
      01-21-2005
By default, Authenticated Users in a domain are assigned the Add
workstations to a domain user right and can create up to 10 computer
accounts in the domain. You can configure this security setting by opening
the appropriate policy and expanding the console tree as such: Computer
Configuration\Windows Settings\Security Settings\Local Policies\User Rights
Assignment\

http://www.microsoft.com/resources/d.../en-us/526.asp

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights


 
Reply With Quote
 
Tomski
Guest
Posts: n/a

 
      01-21-2005
Sorry I don't think I made my previous post clear...

We want these users to be able to add computers to the domain (IT Support -
restricted for everyone else) but we want the machines to have policies
applied immediately. Miha Pihler wrote:

"In Windows 2003 (and I think there are some workarounds on Windows 2000)
you can redirect where computer and user accounts are created when they are
added to domain"

This 'workaround' was what I was interested in.

Thanks for the timely responses.

"Bob Hollness" wrote:

> unless you have sufficient rights on AD, you cannot add a computer to the
> domain. Remove the rights from these people, this will stop them from doing
> it immediately.
> --
>
> Bob
>
> --------------------------------------
> I'll have a B please Bob.
>
> "Tomski" <> wrote in message
> news:62F511AF-EA20-410A-A3BA-...
> > Miha,
> >
> > Sorry to hi-jack the thread, but do you happen to know the workaround for
> > Windows 2000 and new computer creation?
> >
> > We have problems here where people create new computers and release them
> > onto our network without telling us. It usually involves chasing a lot
> > people
> > about it, but if I could design a restrictive policy that gets applied I'm
> > sure they'd come to me!
> >
> > We will be upgrading to Windows 2003 infrastructure eventually, but we
> > have
> > a few other projects in the pipeline before then.
> >
> > Thanks in advance,
> >
> > Matt.
> >
> >
> >
> > "Miha Pihler" wrote:
> >> In Windows 2003 (and I think there are some workarounds on Windows 2000)
> >> you
> >> can redirect where computer and user accounts are created when they are
> >> added to domain. E.g. instead of Computer container or User container
> >> these
> >> accounts are created in e.g. New Computers OU. Since now new objects are
> >> created in OU, you can immediately apply group policy to it (e.g. SUS GP,
> >> access to internet limitations, AV installation, etc, etc, etc, ...). So
> >> you
> >> can really lock down any PC that is added to domain...

> >

>
>
>

 
Reply With Quote
 
Miha Pihler [MVP]
Guest
Posts: n/a

 
      01-21-2005
Hi Bob,

By default, any domain user can add (join) up to 10 computers to domain.

--
Mike
Microsoft MVP - Windows Security

"Bob Hollness" <> wrote in message
news:eZGkkE6$...
> unless you have sufficient rights on AD, you cannot add a computer to the
> domain. Remove the rights from these people, this will stop them from
> doing it immediately.
> --
>
> Bob
>
> --------------------------------------
> I'll have a B please Bob.
>
> "Tomski" <> wrote in message
> news:62F511AF-EA20-410A-A3BA-...
>> Miha,
>>
>> Sorry to hi-jack the thread, but do you happen to know the workaround for
>> Windows 2000 and new computer creation?
>>
>> We have problems here where people create new computers and release them
>> onto our network without telling us. It usually involves chasing a lot
>> people
>> about it, but if I could design a restrictive policy that gets applied
>> I'm
>> sure they'd come to me!
>>
>> We will be upgrading to Windows 2003 infrastructure eventually, but we
>> have
>> a few other projects in the pipeline before then.
>>
>> Thanks in advance,
>>
>> Matt.
>>
>>
>>
>> "Miha Pihler" wrote:
>>> In Windows 2003 (and I think there are some workarounds on Windows 2000)
>>> you
>>> can redirect where computer and user accounts are created when they are
>>> added to domain. E.g. instead of Computer container or User container
>>> these
>>> accounts are created in e.g. New Computers OU. Since now new objects are
>>> created in OU, you can immediately apply group policy to it (e.g. SUS
>>> GP,
>>> access to internet limitations, AV installation, etc, etc, etc, ...). So
>>> you
>>> can really lock down any PC that is added to domain...

>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: "The terminal server has exceeded the maximum number of allowable connections" Lanwench [MVP - Exchange] Windows Small Business Server 0 04-13-2009 01:09 PM
NOW WHAT? "The maximum number of secrets that may be stored in a single system has been exceeded" aloha Windows Vista Security 7 09-12-2008 08:45 PM
You have exceeded the maximum number of computer accounts ... ali kemal Active Directory 6 10-02-2007 08:50 PM
Re: You have exceeded the maximum number of computer accounts ... Mathieu CHATEAU Active Directory 0 09-28-2007 06:18 AM
:"the terminal server has exceeded the maximum number of allowed connections" Sonia Windows Small Business Server 2 08-23-2004 04:50 PM