Disable Authenticated User from beeing able to join computers to the domain

One of the things I still can’t understand is why users should be allowed to join computers to the domain. One Best Practice I always follow is to change the maximum number of machines an authenticated user can join to the domain to ZERO. Users with permissions to create objects on specific OUs, by being Domain Admins or through delegated rights (use the delegation wizard) will still be able to create computer objects, and join computers to the domain. To accomplish that follow the procedure bellow: ADSIedit > Default Naming Context > “DC=domain,DC=com” > Properties > Attribute Editor: Set: ms-DS-MachineAccountQuota to 0 Summary: ms-DS-MachineAccountQuota stores a numeric value of the number of computers that a user is allowed to join to the domain (actually it is the number of computer objects that that user is allowed to create in a domain). When a machine is joined to the domain, the…