There are basically two methods to address this scenario. I generally implement both methods to ensure that reverting the changes of one method, does not allow users to continue this practice. Method #1 The “ten” computer limitation is governed by the ms-DS-MachineAccountQuota attribute in the directory, so youcan adjust this limit down to zero by following these steps: Method #2 You also have the ability to provide rights to users and/groups to add workstations to the domain. By default, the “Default Domain Controllers” group policy object (GPO) provides this right. Using the Group Policy editor, open the Default Domain Controllers GPO and navigate to the User Rights Assignment object, and locate the Add workstations to domain right. Edit these settings and remove all of the members listed. Make sure that you do not unselect the option to define the setting. Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignments Normally, only implementing one method is required. For either method, you must ensure that you allow time for replication to occur and for the GPO to refresh (if you choose Method #2) on all of your domain controllers.
