You Have Exceeded the Maximum Number of Computer Accounts

KB ID 0001536

Problem

A few weeks ago, this was asked in a forum, and while I knew what the problem was, I’d never seen it myself. So I recreated the problem on the test network to look at why it happened, and how to fix / get around the problem.

The following error occurred attempting to join the domain {domain-name}

You computer could not be joined to the domain, You have
exceeded the maximum number of computer accounts you are
allowed to create in this domain. Contact your system|
administrator to have this limit reset or increased.

To be honest there’s no way I can think of to reset that limit, (short of deleting and recreating your domain user account!) So what’s going on? Well every authenticated domain user has the RIGHT to join a computer to the domain, and the amount of computers they can join is limited to 10 (ten).

Exceptions / Users Not Affected

Members of the domain admins group, and users that have been delegated the right to create a computer object are exempt this limit. 

Solution Option 1 – Use an Administrative Account

Pretty straight forward, the easiest way to avoid this is to add computers to the domain using an account that’s a member off the Domain Admins Group.

Solution Option 2 – Raise The Limit From 10

This limit is set at a Domain level, i.e. it’s not set on a particular user, so you have to raise the limit for ALL Users. To do this log onto a domain controller and launch Adsiedit.msc > Connect To > Default Naming Context > OK.

Select CN={Your Domain} > Properties > Locate ms-DS-MachineAccountQuota > Edit > Change the value from 10 to something greater.

Solution Option 3 – Delegate Create Computer Object Right

Locate the OU (or container) that your new computer objects get added to, (I say container because ‘Computers’ is NOT an OU) > Right Click > Delegate Control > Next > Add your domain user > Next > Create a custom task > Next.

Only the following object in the folder > Tick: Computer Objects > Tick: Create selected object in this folder > Next > Tick: Property specific > Tick: Read All Properties > Next > Finish

Solution Option 4 – Pre-Stage Computer Objects in Active Directory

Not very scalable, but you can pre-create the computer object before the computer is joined to the Domain, (providing you know its computer-name / host-name). This can be done in Active directory Users and Computers.

Then you can simply join the computer to the domain.

How Does This Work

When a computer is joined to a domain a few things happen, the account you are using is checked, if it’s a normal, (not delegated or non domain admin) user, then the SID (Security Identifier) of that user is stamped on the COMPUTER object in a value called ms-DS-CreatorSID 

What does NOT happen: There is NOT value on the USER object that increments by one for each machine joined to the domain, the ONLY reference is on the COMPUTER object. Yes this seems inefficient, but there we go that’s how it works.

If the user has delegated rights to create computer objects, or is a member of domain admins then, ms-DS-CreatorSID is left empty, (if you query it using PowerShell or programatically it will return ‘null’).

Finding Out Who Joined a Computer to The Domain

Because of the way this is stamped on the computer, and not the user, then if you want to find out how many computers a particular user, or users, have added it’s not straight forward! If it’s something that’s happened recently you can look on your domain controllers in the security log for Event 4741.

Or if you need to do something complicated, then scripting is your friend!

Getting a List of Computers Joined to a Domain (By User)

Use the following PowerShell, (this is one command if it gets wrapped after you copy/paste it).

[box]

Get-ADComputer -Filter * -Properties ms-DS-CreatorSID | Where-Object -FilterScript { $_."ms-DS-CreatorSID" -ne $Null } | Format-Table -AutoSize -Property Name,@{Label='User';Expression={(New-Object System.Security.Principal.SecurityIdentifier($_."mS-DS-CreatorSID".Value)).Translate([System.Security.Principal.NTAccount]).Value}}

[/box]

Like so;

Related Articles, References, Credits, or External Links

NA

Windows Administrator “Lost Password” / “Password Reset”

KB ID 0000159

Problem

You have forgotten your password, or the administrators password fo your Windows machine.

Note: You can also ‘Blank’ or reset the DSRM (Directory Services Restore Mode) password on a Domain Controller (Tested on 2012 R2, by blanking the password). Using this method.

Lost Password : Fix

Lost Password Software Download Links

Password Reset CD Image (3.5Mb) Note: This is a .iso file – you need to burn it as an image! Simply dropping this file on a CD will NOT work.

WARNINIG – If your drive has been encrypted with Windows Bitlocker this procedure will not work!

Related Articles, References, Credits, or External Links

Windows 8 – Lost / Forgotten Password?

Windows Server – Setup Home Folders and Profile Folders

KB ID 0000739 

Problem

A while back I got an email,

Message: Hallo Pete,

Can you make a tutorial for me for sharing a Home Folder or Profile Path folder for every user?
It’s hard to get one.

Thanks in advance.

Sincerely,
Matthew Wittenberg
</br

Well it’s taken me a while (sorry!) But here you go,

Solution

Creating and Allocating Home Folders to Users

1. Create a folder that is on a drive or volume with plenty of room.

2. I’ve simply used ‘Home’ as the folder name, open the folder’s properties.

3. Sharing Tab > Advanced Sharing.

4. Tick to share > put a dollar ‘$’ symbol onto the end of the share name (this just stops the folder being visible to someone browsing the network) > Permissions.

5. Grant Everyone ‘Full Control’, Don’t worry we will lock it down with NTFS permissions (Remember permissions are cumulative, and most restrictive apply) > Apply > OK.

6. Security tab > Advanced.

7. Change Permissions.

8. Untick ‘Include inheritable permissions……’ > Add.

9. Select CREATOR OWNER > Edit > Permissions should apply to ‘Subfolders and files only’ > Full control.

10. Select SYSTEM > Edit > Permissions should apply to ‘This Folder, subfolders and files only’ > Full control.

11. Select DOMAINNAMEAdministrators > Edit > Permissions should apply to ‘This Folder, subfolders and files only’ > Full control.

12. Remove the Users (the one with Read & Execute).

13. Remove the Users (the one with Special).

14. Add.

15. Everyone > check Name (make sure it underlines Everyone) > OK

16. Sett Apply to = This folder only > Allow the following.

Traverse Folder / execute file
List Folder / read data
Read attributes
Create Folders / append data

Allocate the Home Folder to the Domain Users

1. From within Active Directory Users and Computers locate your users, (you can press Windows Key+A to select them all).

2. Open their properties.

3. Profile tab > You can connect a drive letter (I usually use H:) and connect that to the users home drive. Set the path like so;

[box]

\\Server-name\Folder-name\%username%
e.g.
\\PNL-DC\Home$\%username%

[/box]

4. This is what the users will see.

5. On the server the folders are all created straight away.

Creating and Allocating Roaming Profile Folders to Users

The process for setting up the folder is identical to the one above for the home folders.

1. Create a folder that is on a drive or volume with plenty of room.

2. I’ve simply used ‘Profile’ as the folder name, open the folder’s properties > Sharing Tab > Advanced Sharing > Tick to share > put a dollar ‘$’ symbol onto the end of the share name (this just stops the folder being visible to someone browsing the network) > Permissions.

3.  Grant Everyone ‘Full Control’, Don’t worry we will lock it down with NTFS permissions (Remember permissions are cumulative, and most restrictive apply) > Apply > OK.

4. Security tab > Advanced.

5. Change Permissions > Untick ‘Include inheritable permissions..’ > Add.

6. Remove the Users (the one with Read & Execute).

7. Remove the Users (the one with Special).

8. Add.

9. Everyone > check Name (make sure it underlines Everyone) > OK.

10. Set Apply to = This folder only > Allow the following.

Traverse Folder / execute file
List Folder / read data
Read attributes
Create Folders / append data

Allocate the Roaming Profile Folder to the Domain Users

1. From within Active Directory Users and Computers locate your users, (you can press Windows Key+A to select them all).

2. Open their properties > Profile Tab > Tick ‘Profile path’ > Set the path as follows;

[box]

\\Server-name\Folder-name\%username%
e.g.
\\PNL-DC\Profiles$\%username%

[/box]

3. Unlike home folders, profile folders are only created when the users log onto the network, here you can see this profile has a V2 on the end of it (a version 2 profile means it has come from a Windows Vista or newer machine). For this reason if your users use Windows XP (or older) clients, AND Windows Vista (or newer) clients they will get TWO DIFFERENT profiles.

Related Articles, References, Credits, or External Links

NA

Exchange – (INSUFF_ACCESS_RIGHTS)

KB ID 0000719 

Problem

Saw this on a brand new Exchange 2010 install, this is not the first time I’ve written about this problem. It’s caused by the same thing as the error in KB0000434, back then I was trying to move mailboxes. This time I was changing the default E-mail Address Policy. It let me change the policy, but when it tried to apply the change to the user(s) this happened.

Error
Warning:
Failed to update recipient “PeteNetLive/Users/Administrator”. The following exception occurred: Active Directory operation failed on DC01.PeteNetLive.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Solution

1. On a domain controller launch “Active directory users and computers” > View > Advanced options.

2. Locate the user that is being denied access (the user you were logged in as), right click > properties > Security Tab > Advanced > Tick “Include inheritable permissions from this object’s parent” > Apply > OK.

3. Try again.

Permanent Fix

Particularly after a migration this can continue to be a problem, you can stop it on a domain wide basis by doing the following;

1. Open active directory Users and computers > Expand {domain-name} > System > AdminSDHolder > Properties > Security > Advanced.

Note: You may need advanced options turning on to see System (View > Advanced).

2. Place a tick in the ‘Include inheritable permissions form this objects parent’ option> Apply > OK.

Related Articles, References, Credits, or External Links

Exchange Mailbox Move Error – (INSUFF_ACCESS_RIGHTS)

Original Article written 22/11/12