← Back to blog
#active-directory#attack-chains

ms-DS-MachineAccountQuota Explained: Why This Default Still Leads to AD Compromise

Default MachineAccountQuota lets regular domain users create computer accounts, which attackers can chain with common AD weaknesses to escalate quickly.

By ForestGuardian Team

Active Directory environments still carry legacy defaults that no longer make sense in modern security models. One of the most common is ms-DS-MachineAccountQuota (MAQ).

It is simple, often overlooked, and consistently appears as a pillar in attack chains we see in real-world internal penetration tests.

ForestGuardian routinely identifies this setting as part of broader identity risk across environments, not just as a standalone issue, but as an entry point into larger attack chains.

What is ms-DS-MachineAccountQuota?

ms-DS-MachineAccountQuota is an Active Directory attribute that defines how many computer accounts a standard domain user can create. By default, it is set to 10, which means any authenticated user can create up to ten machine accounts in the domain. This behavior dates back to Windows Server 2000, when ease of use was prioritized over strict control. In modern environments, there is typically no need for standard users to join their machines to the domain themselves, leaving this attribute a persistent relic of days gone by that can pose considerable risk, especially when combined with other common, more nuanced Active Directory flaws.

Why This Still Matters

Creating a machine account is not just a provisioning task; it introduces a new security principal into Active Directory with valid credentials. An attacker does not need access to a real system to exploit this. With standard domain user access or relayed authentication, they can create machine accounts they fully control.

Once that account exists, it behaves like any other domain object. It can authenticate, request tickets, query the environment, interact with other systems, and be used in a variety of attack chains that often lead to domain compromise. The setting itself is not inherently risky, but when chained with other flaws discoverable through continuous Active Directory monitoring, the risk can go from low/medium to critical quickly.

What an Attacker Can Actually Do with the Default MAQ

Once a malicious machine account is created, it can be used in multiple ways depending on the environment:

  • Enumerating users, groups, and permissions at scale to uncover additional, often chainable, issues
  • Requesting Kerberos service tickets for offline cracking via a Kerberoasting attack
  • Interacting with Active Directory Certificate Services (AD CS), which often presents a vast attack surface
  • Abusing Resource-Based Constrained Delegation (RBCD), especially against workstations where the WebClient (or WebDAV Redirector) service is enabled, often by default
  • Leveraging unconstrained or misconfigured delegation paths

Many of these activities blend in with normal domain behavior, as machine accounts are expected to exist, and their actions often do not stand out unless you are specifically looking. For this reason, machine accounts are extremely useful to attackers.

How This Becomes an Attack Chain

MAQ appears to be a minor misconfiguration when viewed in isolation. However, in practice, it’s often used to obtain a domain foothold or becomes the starting point for escalation within the domain environment.

Two examples of real-world attack chains we run into often:

  1. Low-privileged domain access to privilege escalation

    • Attacker gains low-privileged domain access through password spraying or a credential theft attack
    • Creates a machine account using the default MAQ setting
    • Uses that account to perform an attack chain, such as Resource-Based Constrained Delegation (RBCD), to compromise a workstation or server
    • Performs a credential theft or user impersonation attack against the compromised host
    • Moves toward privileged access by using stolen identities to compromise additional hosts, OR escalates directly to Domain Admin level access

  2. NTLM relay to LDAP to certificate abuse

    • Attacker uses legacy Windows protocols to perform an NTLM relaying attack
    • Relays credentials to the LDAP service on a Domain Controller to create an attacker-controlled machine account
    • Uses this account to enumerate Active Directory Certificate Services (AD CS)
    • Finds a vulnerable certificate template only usable by members of the Domain Computers group
    • Uses the malicious computer account to elevate privileges directly to Domain Admin or Enterprise Admin in a few commands using widely available open-source tooling

The default MAQ is rarely a single-step issue, but fits into broader sequences. ForestGuardian maps these relationships directly, showing how something like MAQ contributes to a full attack chain instead of treating it as an isolated finding, and shows you how to break the attack chains by focusing on “first fix” vulnerabilities, giving you time to address other issues with the main risk cut off before an attack can start.

Why This Gets Missed

This is not a new setting; it has existed for over 2 decades, has been documented for years, and still shows up in production environments constantly. Some reasons it’s often overlooked are that it’s considered a default setting rather than a misconfiguration, its presence doesn’t trigger alerts in most tools, it doesn’t have an immediate impact on its own, and it is rarely reviewed after initial domain setup.

Traditional assessments may catch it, but only at a point in time. If it changes or reappears, it often goes unnoticed.

How to Check Your Environment

To check the current value:

Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

If the result is 10, the default is still in place.

How to Lock It Down

Set the value to 0 to prevent standard users from creating machine accounts:

Set-ADDomain -Identity <FQDN HERE> -Replace @{"ms-DS-MachineAccountQuota"="0"}

This does not impact existing systems; it only affects who can create new machine accounts moving forward.

What to Expect After Changing It

In most environments, nothing breaks. However, there are a few considerations before making the change:

  • Scripts or tools that join machines using non-admin accounts
  • Developer or lab workflows
  • Automated provisioning systems

If any of those exist, permissions should be explicitly assigned rather than relying on the default.

Where ForestGuardian Fits

The challenge with MAQ is not identifying it once, but understanding how it contributes to risk over time. ForestGuardian continuously evaluates identity configurations like this and maps how they connect to attack chains across the environment, privilege escalation paths, and credential exposure and misuse.

Instead of flagging MAQ as a standalone issue, it shows how it can be used, where it leads, and what to fix first to break the chain.

Closing Thoughts

ms-DS-MachineAccountQuota is a legacy setting that no longer aligns with how Active Directory is attacked today. It may not seem critical on its own, but it becomes an extremely reliable entry point in combination with other misconfigurations and insecure default settings.

This is just one example of the types of issues that persist quietly in environments and contribute to real-world compromise. The fix is relatively straightforward, but understanding its impact requires stepping back to see the bigger picture.

Want to see how this applies in your environment?

ForestGuardian helps you identify identity-driven attack chains, not just individual misconfigurations or scanner “noise”. If you want visibility into how settings like this impact your domain over time, get in touch, and we will show you the platform in action.