Restrict the AD users to join computers to the domain

By default, each authenticated AD user is allowed to create 10 computer objects in the default computer container. The quota is managed by the parameter ms-DS-MachineAccountQuota. It is highly recommended that you remove the ability by resetting the value to 0 in domain controller.

1. Open ADSI Edit from the Administrative Tools folder.
2. Right-click ADSI Edit and click Connect To.
3. In the Connection Point section, click Select A Well Known Naming Context, and then select Default Naming Context from the drop-down list.
4. Click OK.
5. In the console tree, expand Default Naming Context.
6. Right-click the domain folder—“dc=contoso,dc=com”, for example—and then choose Properties.
7. Select ms-DS-MachineAccountQuota and click Edit.
8. Type 0 and click OK.

You will see the below error message when you try to join the computer to the domain.