Domain Users Cannot Join Workstation or Server to a Domain

ID: Q251335

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0

SYMPTOMS

When you attempt to join a Windows 2000 domain from a computer running Windows NT 4.0 Workstation or Windows NT 4.0 Server, the following error message may be displayed:

The machine account for this computer either does not exist or is unavailable.
If the workstation or server you are attempting to join is a computer running Windows 2000 Professional or Windows 2000 Server, the following error message is displayed:
Your computer could not be joined to the domain. You have exceed the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
NOTE: This error message only occurs if you have already joined 10 workstations to the domain.


CAUSE

Windows 2000 grants the "Add workstations to domain" privilege to the Authenticated Users group by default. When this privilege is enabled, authenticated users can bypass the access control list (ACL) check for up to a predefined maximum value. To prevent misuse, the maximum number of machine accounts any authenticated user can join is 10 by default.


RESOLUTION

To resolve this problem, use the appropriate method.

Method 1: Pre-Create the User's Computer Account

  1. From the Active Directory Users and Computers snap-in, right-click the container where the account resides.


  2. Click New, and then click Computer.


  3. In the Computer name box, type the name of the Windows 2000-based computer that you want to add to the domain.

    Make sure the computer's name is also entered in the Computer name (pre-Windows 2000) box (this should occur automatically).


  4. Click Change. Select the user or group that will be joining this computer to the domain, and then click OK.


  5. If you want Windows NT 4.0 and previous operating systems to use this computer name object, click to select the Allow pre-Windows 2000 computers to use this account check box, and then click OK.


Method 2: Grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User

  1. From the the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.


  2. Right-click the Computers container, and then click Properties.


  3. On the Security tab, click Advanced.


  4. On the Permissions tab, click Authenticated Users, and then click View/Edit.

    NOTE: If the Authenticated Users group is not listed, click Add and add it to the list of permission entries.


  5. Make sure the This object and all child objects option is displayed in the Apply onto box.


  6. From the Permissions box, click to select the Allow check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK.


Method 3: Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain

You can override the default limit, using either of the following methods:
  • Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000 Resource Kit.


  • Use an Active Directory Services Interface (ADSI) script to increase or decrease the value of the Active Directory ms-DS-MachineAccountQuota attribute.



STATUS

This behavior is by design.

Additional query words:

Keywords : kbenv
Version : WINDOWS:2000; winnt:4.0
Platform : WINDOWS winnt
Issue type : kbprb


Last Reviewed: January 31, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.