Pre-provision Microsoft Entra hybrid join: Increase the computer account limit in the Organizational Unit (OU)
Windows Autopilot for pre-provisioned deployment Microsoft Entra hybrid join steps:
- Step 3: Increase the computer account limit in the Organizational Unit (OU)
- Step 4: Register devices as Autopilot devices
- Step 5: Create a device group
- Step 6: Configure and assign Autopilot Enrollment Status Page (ESP)
- Step 7: Create and assign Microsoft Entra hybrid join Autopilot profile
- Step 8: Configure and assign domain join profile
- Step 9: Assign Autopilot device to a user (optional)
- Step 10: Technician flow
- Step 11: User flow
For an overview of the Windows Autopilot for pre-provisioned deployment Microsoft Entra hybrid join workflow, see Windows Autopilot for pre-provisioned deployment Microsoft Entra hybrid join overview
Note
If you have already increased the computer account limit to the proper Organizational Unit (OU) as part of the Windows Autopilot user-driven Microsoft Entra hybrid join scenario, you can skip this step and move on to Step 4: Register devices as Autopilot devices.
Increase the computer account limit in the Organizational Unit (OU)
The purpose of the Intune connector is to join computers to an on-premises domain during the Autopilot process. The Intune connector creates computer objects in a specified Organizational Unit (OU) in Active Directory during the domain join process. For this reason, the server running the Intune connector needs to have permissions to create and delete computer accounts in the OU where the computers are joined to the on-premises domain.
With default permissions in Active Directory, domain joins by the Intune connector may initially work without any permission modifications to the OU in Active Directory. However after the server running the Intune connector attempts to join more than 10 computers to the on-premises domain, it would stop working because by default, Active Directory only allows any single account to join up to 10 computers to the on-premises domain.
The following users aren't restricted by the 10 computer domain join limitation:
- Users in the Administrators or Domain Administrators groups.
- Users who have delegated permissions on Organizational Unit (OUs) and containers in Active Directory to create and delete computer accounts.
To fix this limitation, the server running the Intune connector needs to be delegated permissions to create and delete computer accounts in the Organizational Unit (OU) where the computers are joined to the on-premises domain. It's also recommended to specifically set these permissions in case the server running the Intune connector doesn't have permissions to create computers in the OU, for example, the default permissions have been modified.
To increase the computer account limit in the Organizational Unit (OU) that computers are joining to during Autopilot, follow these steps on a computer that has access to the Active Directory Users and Computers console:
Open the Active Directory Users and Computers console by running DSA.msc.
Expand the desired domain and navigate to the organizational unit (OU) that computers are joining to during Autopilot.
Note
The OU that computers join during the Autopilot deployment are specified later during the Configure and assign domain join profile step.
Right-click on the OU and select Delegate Control.
Note
If an OU isn't being specified and computers instead join the default Computers container, right click on the Computers container and select Delegate Control.
In the Welcome to the Delegation of Control Wizard window of the Delegation of Control Wizard, select Next.
In the Users or Groups window, under Selected users and groups, select Add.
Next to Select this object type: in the Select Users, Computers, or Groups window, select Object Types.
In the Object Types window, select the Computers check box, and then select OK. The other items in this window can be left at their default.
In the Select Users, Computers, or Groups window, under the Enter the object names to select box, enter the name of the computer where the Intune connector was installed during the Install the Intune Connector step.
Select Check Names to validate your entry. Once the entry is validated, select OK.
In the Users or Groups window, verify that the correct computer is shown under Selected users and groups:, and then select Next.
In the Tasks to Delegate window, select Create a custom task to delegate, and then select Next.
In the Active Directory Object Type window:
Select Only the following objects in the folder.
Under Only the following objects in the folder, select Computer objects.
Select both the Create selected objects in this folder and Delete selected objects in this folder check boxes.
Select Next.
In the Permissions window, under Permissions:, select the Full Control check box, and then select Next.
Note
After selecting the Full Control check box, all other options under Permissions: are automatically selected. The automatic selection of the checkboxes is normal and expected. Don't unselect any of the check boxes after they have been automatically selected.
In the Completing the Delegation of Control Wizard window, select Finish.
Next step: Register devices as Autopilot devices
More information
For more information on increasing the computer account limit in an Organizational Unit, see the following article(s):
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for