...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Active Directory

How many times have you joined the domain?

Monday, April 27, 2015 in Active Directory (Views: 2143)
Ever since the beginning of what is today called Active Directory, Microsoft has always by default let "Authenticated Users" join computers to the domain. Authenticated Users is essentially anyone with a domain credential to access the network. This, of course, comes with a trade off - these users can only join computers 10 times to the domain.

Of course, this is configurable. You can turn this off completely or raise the limit. So, how do you know how many times an account has joined the domain? Here's a quick PowerShell which will show computers joined to the domain, and who did it.

Get-ADComputer -Filter * -Properties ms-DS-CreatorSID
| Where-Object -FilterScript { $_."ms-DS-CreatorSID" -ne $Null }
| Format-Table -AutoSize -Property Name,@{Label='User';Expression={(New-Object System.Security.Principal.SecurityIdentifier($_."mS-DS-CreatorSID".Value)).Translate([System.Security.Principal.NTAccount]).Value}}

How does it know? The ms-DS-CreatorSID is populated. So, how does this populate? Well, anyone who joins a computer to the domain unless....
1. They are a member of Domain Admins
2. They are given delegated rights to an OU

In either of the above 2 cases, the ms-DS-CreatorSID is not populated, and therefore doesn't count against the user joining the computer. This is why you may ask, I've joined computers to the domain 1000 times and it never failed. It's because of one of the above 2 conditions.

Just some random fun from a troubleshoot and wanted to share that off if you were wondering why your OS Deployment randomly may appear to work and fail joining a computer to the domain.


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.