Fix ERROR_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED (0x216D) domain join

Quick answer

Have a domain admin either increase the ms-DS-MachineAccountQuota attribute in Active Directory, or use an account with delegated permissions to join the domain. That's it.

Why this happens

What's actually happening here is that Active Directory has a built-in quota that limits how many computer accounts a single user can create. By default, it's 10. You might not have 10 machines — the count includes any computer accounts you've ever created and not deleted. The error code 0x0000216D maps to ERROR_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED, and it's triggered when you try to join a new computer and the ms-DS-MachineAccountQuota for your user has been exhausted. Microsoft put this in place as a security measure — prevents a single user from flooding the domain with rogue machines. But it bites you when you're legitimately setting up a lab, training environment, or just have old stale machine accounts lying around.

You'll see this most often on Windows Server joining a pre-Windows 2012 domain, or when a non-admin user (like a local tech) has been doing domain joins. The DC doesn't care about your intentions — it counts every computer account created by that user's SID.

Fix steps

Check your quota usage — On a domain controller or machine with RSAT, open PowerShell as admin and run:

Get-ADUser -Identity "yourusername" -Properties ms-DS-CreatorSID | Select-Object -ExpandProperty ms-DS-CreatorSID

Then count the computer accounts with that SID:

Get-ADComputer -Filter "CreatedBy -eq '$sid'" | Measure-Object

Delete stale machine accounts — If you find old computers that no longer exist, remove them:

Get-ADComputer -Filter "CreatedBy -eq '$sid'" | Where-Object { -not (Test-Connection $_.Name -Count 1 -Quiet) } | Remove-ADComputer -Confirm:$false

This frees up quota without needing admin involvement.

Have an admin increase the quota — If you can't delete enough accounts, ask a domain admin to run this in ADSI Edit or PowerShell:
```
Set-ADObject -Identity "DC=yourdomain,DC=com" -Replace @{"ms-DS-MachineAccountQuota"=20}
```
The value is per-user, not global. Set it to 0 to disable non-admin joins entirely, or to a higher number if needed.
Use a delegated admin account — The cleanest fix: have a domain admin give your user explicit rights to create computer accounts in a specific OU. That bypasses the quota entirely. Right-click the OU in ADUC, delegate control, choose "Join a computer to the domain".
Retry the domain join — After any of the above, try joining again. The error won't reappear unless you're still over quota.

Alternative fixes if the main one fails

Pre-stage the computer account — Have an admin create the computer object in AD manually (any OU), then join using that pre-existing account. The quota only applies to creating the object, not joining to an existing one.
Use a local admin account on the DC — If you have Domain Admin credentials, just run the join with those. Domain Admins aren't subject to the quota.
Check for replication issues — Rare, but if the DC you're querying hasn't replicated quota changes, you'll still get the error. Force replication with repadmin /syncall.

Prevention tip

Stop using a single user account for all domain joins. Create a dedicated service account with delegated permissions in a specific OU, and use that for machine provisioning. Set the quota to a sensible number for your organization — 10 is fine for most, but if you're running a test lab, bump it to 50 or 100. Also, regularly clean up stale computer accounts. A quarterly script that pings machines and deletes unresponsive ones keeps the quota from filling up with ghosts.

The real fix: either raise the limit or use the right account. Don't waste time chasing network issues — this error is purely an AD quota problem.