Caponato's Notebook

Setting the ms-DS-MachineAccountQuota to 0 removes the default ability for authenticated users (i.e., any domain user) to add computers to the domain, which is essential for minimizing security risks. By default, this attribute allows any authenticated user to add up to 10 computers, which can potentially expose the domain to attacks involving unauthorized device additions

By default, Active Directory allows any authenticated user to add up to 10 computers to the domain. This setting, controlled by the ms-DS-MachineAccountQuota attribute, can be exploited in various attack scenarios. Setting this value to 0 enhances security by restricting computer account creation to only those with specific delegated permissions, such as members of the Workstation-Admins group.

1. Open Active Directory Users and Computers (ADUC).
   1. Right-click on your domain name (e.g., mad.caponato.es) and select Properties.
   2. Go to the Attribute Editor tab.(If the Attribute Editor tab is not visible, ensure that Advanced Features is enabled under the View menu.)
   3. In the Attribute Editor tab, locate and double-click on the attribute ms-DS-MachineAccountQuota.
   4. Set the value to 0 to disable the default quota, thereby preventing any authenticated user from adding computers to the domain.
   5. Click OK and then Apply to save the changes.

By setting ms-DS-MachineAccountQuota to 0, only users or groups with explicit permissions (like Workstation-Admins) can add or remove computers from the domain. This change restricts domain access and minimizes risks of unauthorized device additions, which are commonly exploited in various attack vectors.

Follow these steps to create the Workstation-Admins group in Active Directory.

1. Open Active Directory Users and Computers (ADUC):
   1. Press Win + R, type dsa.msc, and press Enter to open ADUC.
2. Navigate to the Organizational Unit (OU) or location where you want to create the group.
3. Right-click the OU, select New, and then select Group.
4. In the New Object - Group window:
   1. Enter Workstation-Admins as the group name.
   2. Ensure the Group Scope is set to Global.
   3. Set the Group Type to Security.
5. Click OK to create the group.
6. Add users needed to manage computer joins

The Workstation-Admins group is now available. You can add users to this group as needed to delegate permissions for adding and removing computers in the domain.

Warning : this procedure grants permissions at the domain level, if you require on a OU, then a custom delagation must be granted. This is not covered in this tutorial.

To enable the Workstation-Admins group to add and remove computers at the domain level, follow these steps:

1. Open Active Directory Users and Computers (ADUC):
   1. Press Win + R, type dsa.msc, and press Enter to launch ADUC.
2. Right-click on your domain name (e.g., mad.caponato.es) and select Delegate Control.
3. In the Delegation of Control Wizard:
   1. Click Next on the welcome screen.
   2. Click Add… to add the Workstation-Admins group, then click Next.
4. On the Tasks to Delegate page:
   1. Select Delegate the following common tasks.
   2. Select Join a Computer to the domain.
   3. Click next and Finish

This grants the “Join (create)” permission only. Let's also grant “Delete” permission.

1. Open Active Directory Users and Computers (ADUC) if not already open:
   1. Press Win + R, type dsa.msc, and press Enter to launch ADUC.
2. Right-click on your domain name (e.g., mad.caponato.es) and select Security
3. Click on Advanced
4. Locate the entry for Workstation-Admins and click Edit
5. In the permissions list, “Create Computer Objects” is selected, select also “Delete Computer Objects”
6. Click OK, then again OK, and then OK one more time.

The Workstation-Admins group now has the necessary permissions to add and remove computer accounts at the domain level.

Caponato's Samba notebook. Start here or else Main menu