the command ms-DS-MachineAccountQuota, if set to 0 will it also affect the administrators from joining accounts to the domain. also how can i give a particular user privilege to create accounts in a domain

Sorry, you have posted your question in a forum that talk about Microsoft Operations Framework (MOF), then I am moving your post to another forum and I hope you can get some help. But if you want you can try to find other forum by yourself: http://social.technet.microsoft.com/Forums/en-US/ Hope that helps Regards, Cleber Marques Microsoft MVP & MCT | Charter Member: SCVMM & MDOP MOF Brazil Project: Simplifying IT Service Management My Blog | MOF.com.br | CleberMarques.com | CanalSystemCenter.com.br

To allow users to create accounts (users, computers, and/or groups) in the domain, the easiest way is to use the "Delegation of Control" wizard. Just right click the OU where you want to allow the user (or better yet create a group so you only have to do this once, then add/remove users from the group), click on Delegate control, then configure the settings by using the wizard. Alternatively, a user can be simply added to the "Account Operators" built-in group. This provides the user with alot more rights and permissions that the more granular method using the Delegation process. Visit: anITKB.com, an IT Knowledge Base.

Sorry, you have posted your question in a forum that talk about Microsoft Operations Framework (MOF), then I am moving your post to another forum and I hope you can get some help. But if you want you can try to find other forum by yourself: http://social.technet.microsoft.com/Forums/en-US/ Hope that helps Regards, Cleber Marques Microsoft MVP & MCT | Charter Member: SCVMM & MDOP MOF Brazil Project: Simplifying IT Service Management My Blog | MOF.com.br | CleberMarques.com | CanalSystemCenter.com.br

Hi, For your inquiry on ms-DS-MachineAccountQuota, it stores a numeric value of the number of computers that a authenticated user is allowed to join to the domain (actually it is the number of computer objects that that user is allowed to create in a domain). Administrative users and delegated users are exempt from this quota because they have the necessary permissions to create computer objects anywhere in the domain. For how to give a particular user privilege to create accounts in a domain, beside [JM] suggested you can also check whether the following articles help: http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx http://support.microsoft.com/?id=251335 Thanks. NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.