Home arrow Articles arrow INFO: How does mS-DS-MachineAccountQuota work?
INFO: How does mS-DS-MachineAccountQuota work? Print E-mail

What is ms-DS-MachineAccountQuota?

ms-DS-MschineAccountQuota is an attribute of the domain that tells Active Directory how many computers an authenticated user may join to the domain. By default, an authenticated user account may join up to ten computers to the domain without any additional permissions or rights. The value ten is the default value of ms-DS-MachineAccountQuota attribute. This value can be increased, or this feature may be disabled by setting ms-DS-MschineAccountQuota to zero. Administrative or delegated users are exempt from this quota based on permissions in the directory.

How does it work?

The entire operation of joining a computer to the domain can be broken up into two phases - permissions validation and quota validation (non-official terminology). Basically, the directory first checks to see if the user in question is exempt from the quota. The second phase is the actual creation of the computer object by the directory service.

Note. If a user is exempt from the quota, then the computer is created without checking to see if the quota has been exceeded.

Permissions Validation

When a user attempts to join a computer to the domain, the authenticating Domain Controller checks to see if the user context performing the operation has the CREATE_CHILD permission for computer objects on the parent container (by default this is CN=Computers, DC=DNS-domain-name, however this can be redirected in 2003 functional mode). If the user context has this permission the check succeeds and the user can add the workstation to the domain without exception. If the user context doesn't have [computer] CREATE_CHILD permissions, then the user right SE_MACHINE_ACCOUNT_PRIVILEGE (Add workstations to the domain) is checked. If the user has this right, then the user can continue to add the workstation to the domain if the quota defined is not exceeded. If the user doesn't have this right, then the user cannot add a workstation to the domain.

Note. By default, the Authenticated Users security principal has the right SE_MACHINE_ACCOUNT_PRIVILEGE.
This series of events looks something like this:
  • User attempts to join machine to the domain (local administrator permissions required)
  • Domain Controller checks to see if user has permissions to create computer objects in the default computers container.
  • If the user has the necessary permissions, ms-DS-MachineAccountQuota is not checked. Operation will succeed.
  • If the user doesn't have the necessary permissions, the Domain Controller checks to see if the user has the user right "Join workstations to the domain".
  • If the user has the necessary right, ms-DS-MachineAccountQuota is checked. Operation will succeed if the number of objects created by this user is less than that defined in ms-DS-MachineAccountQuota.
  • If the user has neither the create computer object permission or join workstations to the domain right then the operation will fail and the user is notified that they do not have permissions to carry out the request. If the user has the right Join workstations to the domain but has exceeded the value defined in ms-DS-MachineAccountQuota then the operation fails and the user is notified that he/ she cannot join any more machines to the domain.

Quota Validation

If the necessary permissions are not held by the user in question, the Domain Controller then checks to see if the user is allowed to add this computer to the domain based on the domain-quota for domain membership additions. To do this check, the Domain Controller searches the domain for any computer objects where the ms-DS-CreatorSID equals the objectSID of the user performing the operation. If the number of computers returned by the query is less than the quota defined in ms-DS-MachineAccountQuota then the account is created, the ms-DS-CreatorSID attribute is stamped with the SID of the user (objectSID) and the owner of the new computer object is set to Domain Admins.

Note. ms-DS-CreatorSID is indexed, therefore this is a very fast search.
This series of events looks something like this:
  • User allowed to create computer objects if quota not exceeded, therefore check quota
  • If (&(objectCategory=computer)(ms-DS-CreatorSID=objectSID)) returns fewer results than the value of ms-DS-MachineAccountQuota then
  • Create computer, set ms-DS-CreatorSID to the SID of the user and set Domain Admins as the owner

Note. Due to the way that this works, the quota is only loosely enforced. That is, a user cannot add more computers to the domain than the quota if all previous computer accounts created exist. In addition, it might be possible to add one or two computers that actually exceed the value defined in the quota.
As an example, if a computer account was created in the past and the computer decommissioned (and the object removed from Active Directory) then the count returned by the LDAP query will be number of computers joined to the domain - number of computer objects that were joined but are no longer in the directory. Which means another computer can be added.

As another example, it is also possible that more than the quota value can be added if the user in question were able to target multiple Domain Controllers within the replication latency. However, this isn't really easy to do and wouldn't cause much of an exception to the quota if it did happen.

Summary

ms-DS-MachineAccountQuota stores a numeric value of the number of computers that a user is allowed to join to the domain (actually it is the number of computer objects that that user is allowed to create in a domain). When a machine is joined to the domain, the authenticating Domain Controller searches the domain for all computers previously added by this user and compares that number against the value defined in ms-DS-MachineAccountQuota. If the number of computers created is less than the value defined in ms-DS-MachineAccountQuota then the operation succeeds. If not, the operation fails. Administrative users and delegated users are exempt from this quota because they have the necessary permissions to create computer objects anywhere in the domain, therefore the initial permissions checks succeed. By default, any authenticated user can join up to ten computers to the domain. This is because Authenticated Users has the right "Join workstations to the domain" by default, and because the default value for ms-DS-MachineAccountQuota is 10. Setting ms-DS-MachineAccountQuota to zero, stops authenticated users from joining workstations to the domain.

References

Domain users cannot join workstation or server to a domain (kb251335)
-- http://support.microsoft.com/?id=251335

Default Limit to Number of Workstations a User Can Join to the Domain (kb243327)
-- http://support.microsoft.com/?id=243327

Document information

Author: Paul Williams
Date: 05-03-2006
Version: 2.0
Last updated: 31-07-2007
Last updated by: Paul Williams



Del.icio.us!Technorati!StumbleUpon!Furl!
 
< Prev   Next >