Skip to content

Set machineaccountquota to 0

Set MachineAccountQuota to 0

MITRE ATT&CK:

  • Initial Access

MITRE D3FEND:

  • User Account Permissions

The MachineAccountQuota is a domain-level attribute that allows unauthenticated users to make up to 10 devices members of the Windows domain. Attackers can abuse this capability for Kerberos RBCD attacks or Kerberos Unconstrained Delegation, among others. So that explicit permissions are required before a device can be added to the Windows domain.

Audit

Via PowerShell:

Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

Configuration (PowerShell)

Set-ADDomain -Identity <DomainName> -Replace @{"ms-DS-MachineAccountQuota"="0"}

User Impact

None.