What is the MachineAccountQuota (MAQ) and how can non-privileged users exploit it?

The MachineAccountQuota (MAQ) is a domain attribute that controls how many computer accounts a non-privileged user can create, defaulting to 10. Attackers can use this quota to create machine accounts with tools like Powermad or SharpAllowedToAct, enabling further attacks such as Kerberos delegation abuse. The creator SID is stored in the ms-DS-CreatorSID attribute of the new computer account.