Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1847: Error: The user has exceeded its join quota.

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:07 AM

Applies to: All versions of Centrify DirectControl.


When joining a Mac or a Unix/Linux machine to AD using Centrify DirectControl, the following error messages were observed: 

root# ./ -n --std-suite --adjoin_opt="--user SOMEBODY--password SOMETHING--zone MAC-TESTING-ZONE-01 --force"

Using writable domain controller: yourdc.local
Error: The user has exceeded its join quota.
"Please use a different user or ask the Active Directory to grant more joins"

Is there a parameter which can be changed to get past this join quota ?


The 'number of joins' is defined/governed in Microsoft Active Directory. 

The "number of joins which includes all computers & not Unix/Linux" are determined by the "ms-DS-MachineAccountQuota" attribute of the domain. 

By default, an authenticated user account may join up to ten computers to the domain without any additional permissions or rights. The value ten is the default value of "ms-DS-MachineAccountQuota" attribute. 

Resources online says this value can be increased, or this feature may be disabled by setting "ms-DS-MachineAccountQuota" to zero. Administrative or delegated users are exempt from this quota based on permissions in the directory. 

Microsoft KB:

3rd party link which shows the usage of Microsoft's ADSIedit tool to manipulate this number.

Note: Centrify does not take any responsibility if the above links are unavailable over a period of time.

The ldapsearch below can also be used to determine this number:

  ldapsearch -m -QQQ -LLL -H LDAP:// -b "dc=acme,dc=com" ms-DS-MachineAccountQuota | grep -i ms-DS-MachineAccountQuota 

  ms-DS-MachineAccountQuota: 10 


Please check with the AD administrators to find out and if this limit can be increased.