Skip to main content

The Vilkas Wire

ms-DS-MachineAccountQuota Explained: Why This Default Setting Leads to AD Compromise

Jul 2, 2025 · By Ben Rollin

Active DirectoryDefender TipsInfoSecPentest
abstract default ms-ds-machineaccountquota cover aimage

What is ms-DS-MachineAccountQuota?

ms-DS-MachineAccountQuota is an Active Directory setting that decides how many computer accounts a user can create in the domain. By default, it’s set to 10, so any authenticated user can join or create up to 10 machine accounts, no matter their role.

This attribute was first introduced with Windows Server 2000. In modern networks, the risk of leaving the default in place outweighs the benefits.


Why This Exists and Why It’s Risky

When you join a computer to the domain, Active Directory creates a machine account (such as LAB01$) and gives it credentials. This process is meant to allow secure communication between the computer and the domain controller.

However, attackers can exploit this default setting. There are now tools that let them create machine accounts they control using only regular domain user credentials, without needing real computers. Once these accounts are in Active Directory, attackers can use them like real users: to authenticate, run queries, and even launch attacks.

Even worse, attackers can sometimes get valid credentials without having to crack any passwords.

This feature was originally meant to make things easier for IT teams and let users like developers or lab admins join systems to the domain without waiting for help desk support. But now, this default setting can give attackers an easy way in.


What an Attacker Can Do With a Machine Account

If an attacker creates a machine account, either with stolen credentials or by relaying NTLM authentication through a spoofing attack, they can use it as a starting point for more serious attacks.

Here are some of the attacks that become possible:

  • Kerberoasting & ASREPRoasting: Harvesting and cracking Kerberos service tickets
  • AD CS Abuse: Requesting malicious certificates from Active Directory Certificate Services (AD CS)
  • RBCD (Resource-Based Constrained Delegation): Abusing delegation paths
  • Unconstrained Delegation: Accessing high-value credentials via misconfigured services
  • SCCM/MECM Attacks: Targeting misconfigured endpoint management systems
  • Domain Enumeration: Mapping out users, groups, permissions, even when heavily restricted

Since these accounts look like normal computers in Active Directory, their activity often goes unnoticed.

In environments where ms-DS-MachineAccountQuota is still set to its default value, Vilkas can help assess related Active Directory exposure and identify other identity attack paths through our in-depth Active Directory Security Assessment.


How to Check Your Current Setting

To check your current ms-DS-MachineAccountQuota value on a domain controller, run this PowerShell command:

Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

If the result is 10, your domain is still using the insecure default setting.


How to Lock It Down

To stop regular users from joining or creating machine accounts, set the quota to 0:

Set-ADDomain -Identity <FQDN HERE> -Replace @{"ms-DS-MachineAccountQuota"="0"}

Run the previous command again to make sure the change worked.

After this, only users or groups who have been given permission, like Domain Admins or custom roles, will be able to create machine accounts.


What Could Break?

Changing this setting won’t affect any existing systems or machine accounts. It only impacts new accounts created by non-admin users. However:

  • Any automated system or script relying on non-admin users creating/joining machines will fail
  • Lab users or developers might need new permissions
  • Third-party tools that auto-join systems to the domain could break if misconfigured

Before making this change, talk with your IT teams, developers, and endpoint management staff to make sure everyone is prepared.


Final Thoughts

Most organizations don’t need every domain user to create computer accounts. In today’s Active Directory environments, this old setting is more risky than helpful.

Setting ms-DS-MachineAccountQuota to 0 is an easy way to remove a common attacker entry point, especially when NTLM relay attacks are possible.

This is one of the simplest steps you can take to make your domain more secure.

Check out our Active Directory Security Hardening & Hygiene Checklist for the most common issues we find during internal assessments and tips on how to fix them.


Want to test your environment for risks like this?

Vilkas Cybersecurity helps organizations find and fix real-world security risks, not just theoretical problems.

If you have a question about this article or a security issue you’re facing, fill out the form and we’ll get back to you soon.

Loading form…