The quota for the user to join the machine is 10. This value can be modified to increase security.
The attribute where the quota is stored in active directory is "msDS-MachineAccountQuota"
Example
We have a User "User1" in Active Directory who is the Member of "Domain Users" group only
The attribute "msDS-MachineAccountQuota" can be located in domain partition properties
Be default, the value of msDS-MachineAccountQuota is 10
Lets change the value of msDS-MachineAccountQuota to 1
Lets now join this machine to the domain (Currently we are logged on to this machine as "User1")
User1 was able to join the machine to the domain
Lets try to join another machine to the domain (Currently we are logged on to this machine as User1)
Oops... We got the Err...
* With inputs from Pankaj Singh and Preeti Saseendran
