Configuring the nsmsmmpbind account on a unit Active Directory

1. Using "Active Directory Users & Computers", create a standard user account with the logon name "nsmsmmpbind" in an appropriate Organisational Unit (OU), e.g. "Service Accounts".

2. Right-click the OU the nsmsmmpbind user should be able to add computer accounts to and select "Delegate Control...". Complete the Delegation of Control Wizard as follows:
   • On the Welcome page click Next
   • On the Users or Groups page, click the Add... button and add the nsmsmmpbind account created earlier, then click Next
   • On the Task to Delegate page select "Create a custom task to delegate" and click Next
   • On the Active Directory Object Type page, select "Only the following objects in the folder:", then tick Computer objects. Also tick "Create selected objects in this folder" and "Delete selected objects in this folder", then click Next
   • On the Permissions page, select "Create All Child Objects" and "Delete All Child Objects" (this will automatically tick "Creation/deletion of specific child objects", as we have restricted the object type to computer objects only earlier in the wizard). Click Next.
   • Click Finish
3. Using the Group Policy Management console, edit the Default Domain Controllers Group Policy Object (GPO) as follows:
   • Right-click the Default Domain Controllers GPO and select Edit...

   • Under Computer Configuration, navigate to Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment

   • Double-click the "Add workstations to domain" policy in the details pane on the right
   • Using the Add User or Group... button add the nsmsmmpbind account to the list of users

   

4. Increase the maximum number of computer objects the account can bind from the default of 10 to an appropriate number, e.g. 100 by following the instructions in Microsoft Knowledge Base article 243327 to increase the ms-DS-MachineAccountQuota.