Re: Prevent computer from being removed from the domain
From: Mike C (mike.carney_at_bentley.com)
Date: 03/03/05
- Next message: Steve W.: "Re: AntiSpyWare and Messenger"
- Previous message: Gry: "Re: Registry setting to disable ad-hoc networking"
- In reply to: Adam Leinss: "Re: Prevent computer from being removed from the domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Mar 2005 16:42:57 -0500
Ah, the kicker. :) I understand that there are tools available to sort out
what keys need to be written to or accessed. One of the reasons this
wouldn't work for us is that we are a software company filled with
developers and support staff who write scripts for customers. This would be
difficult to administer since they are constantly playing in the registry.
What I am looking for is more security through obscurity. It isn't true
security since a knowledgable user could bypass it, but it would solve my
standard user who removes their laptop on a whim at home so they can join a
neighbors network in a workgroup "cause thats how he has it setup".
Thanks for the input. The internet is just great for this kind of
discussion.
"Adam Leinss" <aleinss@techie.com> wrote in message
news:Xns960E60A25B39Daleinsstechie@toughguy.net...
> "Mike C" <mike.carney@bentley.com> wrote in
> news:OOclSIqHFHA.3040@TK2MSFTNGP10.phx.gbl:
>
>> Hi Robert,
>>
>> This is more of a covering a user with "first option failed
>> so I guess my company blocked it". We have been told in our group
>> that we should find a way to disallow users from removing their
>> machines from the domain.
>>
>> We need to have most users as part of the local admins group to
>> enable so of the app they use to run. What we are looking for is
>> similar to the above post where we simply remove the option from
>> the interface. Essentially not taking the feature away from th,
>> but also not allowing them to see it. This would take care of all
>> bout a few users who tinker.
>
> You aren't going to like what I have to say.
>
> I was just involved in a Windows 98 to Windows 2000 migration involving
> 150+ applications and not once did we have to put users in an
> administrator's group to make an application work. Granted, some
> applications want to write to a registry key or directory they do not
> have access to. You can figure this out with regmon or filemon from
> Sysinternals and then open the specific keys/directories it needs
> opened. Sometimes we had contact the vendor to get an updated version
> of the program.
>
> If the users have access to a command prompt they can also issue
> "netdom remove" to yank a computer out of the domain.
>
> See if you can get away with using just using Power User rights for
> them. I believe they cannot unjoin computers from the domain with this
> access.
>
> Also, if there was a GPO like this it would be most likely a computer
> policy which if implemented would lock out your own IT staff from
> disjoining computers from the domain!
>
> Adam
>
- Next message: Steve W.: "Re: AntiSpyWare and Messenger"
- Previous message: Gry: "Re: Registry setting to disable ad-hoc networking"
- In reply to: Adam Leinss: "Re: Prevent computer from being removed from the domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
