To each his own but you can do that just fine with ms-DS-MachineAccountQuota set to zero. The value of ms-DS-MachineAccountQuota is actually rather irrelevant with properly delegated permissions.
We have a LOT of OUs with tens of thousands of computer objects and zero in the default container without all the extras you describe below. There are also plenty of admins who can join the domain in the proper location based on discrete delegations. Moving and disabling and chastising after the fact seems like a lot of extra work to me. If they can't do it wrong because you control it with the delegations and they get "I'm sorry Dave but I can't let you do that" they can't very well "forget" and do it wrong resulting in the need for intervention :-) Much of this is going away in our environment with process improvement and automated deployments but it has worked fine for > 10 years. -----Original Message----- From: Paul Gordon [mailto:[email protected]] Sent: Thursday, June 21, 2012 2:11 AM To: NT System Admin Issues Subject: RE: How many in your company can join systems to domain I have done this.... Because my requirement *IS* to allow a certain number of delegated regional admins (who are NOT Domain Admin members) to join computers, I have not reduced the ms-ds-machineaccountquota, as that is too blunt a tool, and can't distinguish between ordinary users and my delegated admins... - In fact I have *increased* the quota so that those regional administrators can continue to function... However, I *HAVE*... - created a brand new top level OU called "Computers to be moved". - ACLd that OU to only allow my intended admins to create child objects. - Changed the default container for new computer objects in AD to this new OU. Now, any computer that joins the domain does not get created in the default computers container, but in my new OU. I have issued a very prescriptive process to those regional admins that instructs them in no uncertain terms that when joining computers to our domain they must pre-create the computer account in their specific OU before joining the machine. Obviously, most of the time they forget to do this (don't we all?) and just do it the regular way, such that the computer account does end up in that "computers to be moved" OU... - (which is also fine, just so long as they then remember to immediately go into ADUC & move the object to the correct OU, which they've also been instructed to do), So by way of "encouraging" them to change their habits, I run the following powershell script as a scheduled task every 1 hour, on the hour, which disables any machine accounts that happen to be there! - it could just as easily delete those computer accounts... :-) - Feel free to take this script and do with it as you will... - but I'd appreciate getting back any improvements! # Script to automatically disable any computer accounts found to exist in the Computers container in AD # Version: 1.0 # Date: 18-01-2012 # Author Paul Gordon ################################################################################## # FUNCTION DECLARATIONS # ################################################################################## function MyLog { # Log events to screen and/or file param ([string]$msg, [int]$flag, [int]$target) # $flag = Log event type (INFO, WARNING, etc), $target = log destination (0=none, 1=screen, 2=file 3=both) if ($target -gt 1) {$fileoutput=$true} if ($target -eq 1 -OR $target -eq 3) {$screenoutput=$true} $date = get-date -format "dd/MM/yyyy HH:mm:ss" if ($flag -eq 0) { if ($fileoutput) {Write-Output "$date INFO: $msg" | Out-File $LogFile -append} #write to file if target flag=2 or 3 if ($screenoutput) {write-host "$date INFO: $msg"} #write to screen if target flag=1 or 3 } elseif ($flag -eq 1) { if ($fileoutput) {Write-Output "$date WARNING: $msg" | Out-File $LogFile -append} #write to file if target flag=2 or 3 if ($screenoutput) {write-host "$date WARNING: $msg"} #write to screen if target flag=1 or 3 } elseif ($flag -eq 2) { if ($fileoutput) {Write-Output "$date ERROR: $msg" | Out-File $LogFile -append} #write to file if target flag=2 or 3 if ($screenoutput) {write-host "$date ERROR: $msg"} #write to screen if target flag=1 or 3 } elseif ($flag -eq 3) { if ($fileoutput) {Write-Output "$date DEBUG: $msg" | Out-File $LogFile -append} #write to file if target flag=2 or 3 if ($screenoutput) {write-host "$date DEBUG: $msg"} #write to screen if target flag=1 or 3 } } ################################################################################## # MAIN SCRIPT BODY # ################################################################################## # Import the required AD powershell module Import-Module ActiveDirectory # Set the path of the computers container to be inspected #$containerpath="CN=Computers,DC=contoso,DC=com" - OLD VERSION USING DEFAULT COMPUTERS CONTAINER ### $containerpath="OU=Computers-to-be-moved, DC=contoso,DC=com" # NEW PATH # Enumerate any computer account objects found there $computers=get-adcomputer -filter {enabled -eq $true} -searchbase $containerpath $LogFile = ‘C:\windows\logs\disabledefaultcomputers.log’ MyLog "----------------------------------------------------------------------------------------" 0 3 MyLog "** Beginning disable of any computer objects found in the default computers container **" 0 3 if ($computers -ne $null) { $computercount=$computers.count $computers|Set-ADComputer -enabled:$false MyLog "Disabled $computercount computer objects in the specified computers container." 0 3 } else { MyLog "The specified computers container currently has no enabled computer objects within." 0 3 } -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: 20 June 2012 17:43 To: NT System Admin Issues Subject: Re: How many in your company can join systems to domain By default yes, unless you turn it off, which, IMHO, is the sane thing to do... On Wed, Jun 20, 2012 at 8:30 AM, Webster <[email protected]> wrote: > I haven't had to deal with this in a long time but IIRC anyone who is > in Domain Users can join up to 10 computers to your domain. > > http://support.microsoft.com/kb/243327 > > > Carl Webster > > Consultant and Citrix Technology Professional > > http://www.CarlWebster.com > > > From: David Lum <[email protected]> > Reply-To: NT Issues <[email protected]> > Date: Wednesday, June 20, 2012 8:19 AM > To: NT Issues <[email protected]> > Subject: How many in your company can join systems to domain > > Subject line pretty much says it. We have 600 employees and an IT > staff of 50-ish (including developers) and I swear all 50 can join > systems to the domain. Certainly 10 of them can and that seems like a lot. > > > > Brought up because these guys drive me crazy by loosely following > naming standards, not moving to the appropriate OU, and not putting > descriptions in AD. > > David Lum > Systems Engineer // > NWEATM > Office 503.548.5229//Cell (voice/text) 503.267.9764 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
