User-driven Microsoft Entra hybrid join: Increase the computer account limit in the Organizational Unit (OU)
Windows Autopilot user-driven Microsoft Entra hybrid join steps:
- Step 3: Increase the computer account limit in the Organizational Unit (OU)
- Step 4: Register devices as Windows Autopilot devices
- Step 5: Create a device group
- Step 6: Configure and assign Windows Autopilot Enrollment Status Page (ESP)
- Step 7: Create and assign Microsoft Entra hybrid join Windows Autopilot profile
- Step 8: Configure and assign domain join profile
- Step 9: Assign Windows Autopilot device to a user (optional)
- Step 10: Deploy the device
For an overview of the Windows Autopilot user-driven Microsoft Entra hybrid join workflow, see Windows Autopilot user-driven Microsoft Entra hybrid join overview.
Note
If the computer account limit for the proper Organizational Unit (OU) is already increased, skip this step and move on to Step 4: Register devices as Windows Autopilot devices.
Increase the computer account limit in the Organizational Unit (OU)
Updated ConnectorImportant
This step is only needed under one of the following conditions:
- The administrator that installed and configured the Intune Connector for Active Directory didn't have appropriate rights as outlined in Intune Connector for Active Directory Requirements.
- The
ODJConnectorEnrollmentWiazard.exe.configXML file wasn't modified to add OUs that the MSA should have permissions for.
The purpose of Intune Connector for Active Directory is to join computers to a domain and add them to an OU. For this reason, the Managed Service Account (MSA) being used for the Intune Connector for Active Directory needs to have permissions to create computer accounts in the OU where the computers are joined to the on-premises domain.
With default permissions in Active Directory, domain joins by the Intune Connector for Active Directory might initially work without any permission modifications to the OU in Active Directory. However after MSA attempts to join more than 10 computers to the on-premises domain, it would stop working because by default, Active Directory only allows any single account to join up to 10 computers to the on-premises domain.
The following users aren't restricted by the 10 computer domain join limitation:
- Users in the Administrators or Domain Administrators groups: In order to comply with the least privilege principles model, Microsoft doesn't recommend making the MSA an administrator or domain administrator.
- Users with delegated permissions on Organizational Unit (OUs) and containers in Active Directory to create computer accounts: This method is recommended since it follows the least privilege principles model.
To fix this limitation, the MSA needs the Create computer accounts permission in the Organizational Unit (OU) where the computers are joined to in the on-premises domain. The Intune Connector for Active Directory sets the permissions for the MSAs to the OUs as long as one of the following conditions is met:
- The administrator installing the Intune Connector for Active Directory has the necessary permissions to set permissions on the OUs.
- The administrator configuring the Intune Connector for Active Directory has the necessary permissions to set permissions on the OUs.
If the administrator installing or configuring the Intune Connector for Active Directory doesn't have the necessary permissions to set permissions on the OUs, then the following steps need to be followed:
Sign into a computer that has access to the Active Directory Users and Computers console with an account that as the necessary permissions to set permissions on OUs.
Open the Active Directory Users and Computers console by running DSA.msc.
Expand the desired domain and navigate to the organizational unit (OU) that computers are joining to during Windows Autopilot.
Note
The OU that computers join during the Windows Autopilot deployment is specified later during the Configure and assign domain join profile step.
Right-click on the OU and select Properties.
Note
If computers are joining the default Computers container instead of an OU, right-click on the Computers container and select Delegate Control.
In the OU Properties windows that opens, select the Security tab.
In the Security tab, select Advanced.
In the Advanced Security Settings window, select Add.
In the Permission Entry windows, next to Principal, select the Select a principal link.
In the Select User, Computer, Service Account, or Group window, select the Object Types... button.
In the Object Types window, select the Service Accounts check box, and then select OK.
In the Select User, Computer, Service Account, or Group window, under Enter the object name to select, enter the name of the MSA being used for the Intune Connector for Active Directory.
Tip
The MSA was created during the Install the Intune Connector for Active Directory step/section and has the name format of
msaODJ#####where ##### are five random characters. If the MSA name isn't known, follow these steps to find the MSA name:- On the server running the Intune Connector for Active Directory, right-click on the Start menu and then select Computer Management.
- In the Computer Management window, expand Services and Applications and then select Services.
- In the results pane, locate the service with the name Intune ODJConnector for Active Service. The name of the MSA is listed in the Log On As column.
Select Check Names to validate the MSA name entry. Once the entry is validated, select OK.
In the Permission Entry windows, select the Applies to: drop-down menu and then select This object only.
Under Permissions, unselect all items, and then only select the Create Computer objects check box.
Select OK to close the Permission Entry window.
In the Advanced Security Settings window, select either Apply or OK to apply the changes.
Next step: Register devices as Windows Autopilot devices
Related content
For more information on increasing the computer account limit in an Organizational Unit, see the following articles: