![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 9%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 11%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
Hi mrmplz
Preventing all authenticated users from adding computer objects into an Azure Active Directory Domain Services (AADDS) domain can be challenging, especially if you're unable to modify certain settings like the ms-DS-MachineAccountQuota or GPOs directly within AADDS due to its design constraints.
Here are some alternative approaches you can consider to limit the ability to add computer objects:
Use Conditional Access Policies: You can use Azure AD Conditional Access policies to restrict who can perform specific actions, including adding computer objects. While this doesn't directly prevent all authenticated users, you can create a policy that targets specific groups or users who are allowed to add computer objects.
Delegation of Control: Delegate control over the OU where computer objects are created to specific groups or users. This way, you can limit who has the authority to add computer objects. However, this approach might not work well if you cannot modify the GPOs.
Scripting and Automation: You can create custom scripts or automation workflows that allow computer object creation but only for authorized users or service accounts. These scripts can enforce additional logic or approval processes before creating computer objects.
Regular Auditing and Monitoring: Implement a robust auditing and monitoring solution to keep track of computer object creations. This won't prevent unauthorized creations but will help you identify and take action against any violations quickly.
Azure AD Roles and Permissions: Check if you can use Azure AD roles and permissions to limit who can create computer objects. Azure AD has built-in roles like "Global Administrator" and "User Administrator," but you can create custom roles with specific permissions.
Azure AD Privileged Identity Management (PIM): PIM allows you to manage, control, and monitor access within Azure AD, including role-based access control (RBAC). You can enforce Just-In-Time (JIT) access for specific roles, making it more difficult for users to perform privileged actions without approval.
Remember that AADDS comes with its own set of limitations and capabilities, and Microsoft's documentation and support resources can provide insights into the best practices and available options for managing user and computer objects in AADDS. If none of the above methods provide a suitable solution, you may want to engage with Microsoft support to explore custom solutions or potential feature enhancements.
<If this response has answered your query, please 'Accept as Answer' >
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 63%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)