WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Add Workstations
Add workstations to domain
AKA: SeMachineAccountPrivilege, Add workstations to domain
Default assignment: Authenticated Users This user right only has effect on domain controllers. It has no function on member servers or workstations.
This right allows the holder to create up to 10 computer accounts in the domain. Note that even though the user rights name says “workstations”, the right allows you to create computer accounts for both workstations and member servers. If you have already joined 10 workstations to the domain, Windows will complain “Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.”
Since the default assignment is to Authenticated Users, that means that any user in the forest can connect a computer to the network and join it to the domain. This is probably not appropriate for most environments that have an IT administrator.
This right is not the only way you can be authorized to create computer accounts; you can create a computer account in any Organizational Unit on which you have the Create Computer permission in the OU’s ACL. If you have both the OU permission and right, Windows uses the OU permission to create the computer object so that the operation does not go against your quota of 10. Thus when IT admins create computer objects, it’s the usually the OU permission that gets used.
The quota of 10 accounts is stored in Active Directory in the ms-DS-MachineAccountQuota attribute. See “Method 3: Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain” in KB 251335 for how to increase or decrease ms- DS-MachineAccountQuota.
Back to top