Get the Script: Grant-ComputerJoinPermission.ps1

The principle of least privilege, as applied to Active Directory (AD), means that users should be granted only the minimum permissions necessary to complete their job functions. The larger the organization, the more likely it is that AD permissions are delegated to various groups. A common example is granting a service desk team permission to reset passwords and unlock user accounts. See the Delegating administration topic in the product documentation, https://technet.microsoft.com/en-us/library/cc778807.aspx, for more information about AD delegation.

The principle of least privilege also applies to the management of computer accounts. By default, domain users can create and join up to 10 computers to the domain. You can change this value in a domain by modifying the ms-DS-MachineAccountQuota attribute, as noted in the Microsoft knowledge base article Default limit to number of workstations a user can join to the domain (https://support.microsoft.com/en-us/kb/243327). Many domain administrators change this setting to zero in order to enforce compliance with organizational processes and standards (for example, to prevent users from creating arbitrary computer names). As a result, many organizations need to delegate permissions to join computers to the domain.