Re: Preventing Users from removing their PC from the Domain
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sun, 25 Jun 2006 15:31:51 -0700
Perhaps I should clarify further.
It is the machine local admin that controls disposition of the machine
relative to domain or workgroup membership. The local admin can
only join if they have that delegation in domain or machine account
was precreated. After a disjoin, that same remains true, whether
valid domain credentials were or were not provided so that the
computer object was deleted during the disjoin. If such credentials
were not provided, the computer object remains, but it must first
be reset before it could be used for a (re)join. I have noticed that
when the computer object remains, it is disabled. I have not (yet)
chased down exactly when this disabling occurs, in context of what
account, but you will notice the object displayed with the round red x
<rndinit9@xxxxxxxxx> wrote in message
news:1151271995.651661.257250@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
So youre saying:
If valid credentials are entered -> PC leaves domain, and Active
Directory Object is deleted
Invalid Credentials/none entered -> PC leaves domain but Object is not
delted from Active Directory.
Correct ?
Steven L Umbach wrote:
Cool! Now I know why it prompts for credentials. --- Steve
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23cR0hQHmGHA.4268@xxxxxxxxxxxxxxxxxxxxxxx
Entering, or not, valid domain credentals at the domain prompt
during a disjoin in my experience only impacts whether the computer
object is removed, or not.
But I agree, local admin should be required in either event.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%238bvG4BmGHA.2056@xxxxxxxxxxxxxxxxxxxxxxx
I have seen the behavior where you don't need to enter valid
credentials
if you are logged on as a local administrator. Whenever I have not been
logged on as a user that is not in the local administrators group
either
explicitly or by group membership I can not even access the change name
or
network ID settings as they are grayed out and a message shows that
only a
local administrator can do such. I would double check that you are not
logged on as a user that is also a local administrator whether that be
a
domain account or a local account. I would try it again but before hand
it
would help if you could post in a reply the results for the whoami
/groups
command for the logged on user that can remove the computer from the
domain and the command net localgroup administrators. Whoami can be
downloaded from Microsoft and I believe it is a RK tool. --- Steve
<rndinit9@xxxxxxxxx> wrote in message
news:1151212284.901984.169050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
thank you Steven, however I logged on as a non local administrator.
To
be more specific a user.
The user does not have any privlidges what so ever. They cannot
install
or uninstall software, but im willing to bet that even the guest
account (disabled by default) would be able to remove the PC from the
domain.
The funny thing is, when it prompts the user for a user name or
password, if you leave those fields blank and hit ok, it will work.
And
the PC is removed from the domain. Would appreciate more replies.
Steven L Umbach wrote:
A user needs to be a local administrator in order to remove their
computer
from the domain. So the obvious answer is to not allow the user to
be a
local administrator and look at ways for the user to function as
needed
without being a local administrator. I know that may not always be
possible.
There is no magic bullet to prevent local administrators from
removing
their
computer from the domain as local administrators by definition and
design
are all powerful on their computer. About the best you can do is to
have a
strict user policy that users sign and understand and that removing
computers from the domain is prohibited. You can also use Group
Policy
to
try and hide access to ways a user would use to remove their
computer
from
the domain if it does not interfere with their needed access to the
operating system. Group Policy can be used to hide or remove access
to
Control Panel applets such as System which is probably what most
users
use.
That will not work however for skilled and determined users. ---
Steve
<rndinit9@xxxxxxxxx> wrote in message
news:1151146580.725415.255000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
rndinit9@xxxxxxxxx wrote:
Currently users are able to remove their PC's from the domain w/o
being
prompted for a DomainAdmin username/pass. This is becomming a
problem.
How can I set it that in order for a PC to be removed from the
domain,
that a domain admin username & password must be entered.
Your help is appreciated.
To add some info: The DC is Windows 2000
.
- References:
- Preventing Users from removing their PC from the Domain
- From: rndinit9
- Re: Preventing Users from removing their PC from the Domain
- From: rndinit9@xxxxxxxxx
- Re: Preventing Users from removing their PC from the Domain
- From: Steven L Umbach
- Re: Preventing Users from removing their PC from the Domain
- From: rndinit9@xxxxxxxxx
- Re: Preventing Users from removing their PC from the Domain
- From: Steven L Umbach
- Re: Preventing Users from removing their PC from the Domain
- From: Roger Abell [MVP]
- Re: Preventing Users from removing their PC from the Domain
- From: Steven L Umbach
- Re: Preventing Users from removing their PC from the Domain
- From: rndinit9@xxxxxxxxx
- Preventing Users from removing their PC from the Domain
- Prev by Date: Re: Preventing Users from removing their PC from the Domain
- Next by Date: Re: Preventing Users from removing their PC from the Domain
- Previous by thread: Re: Preventing Users from removing their PC from the Domain
- Next by thread: Re: Preventing Users from removing their PC from the Domain
- Index(es):
Relevant Pages
|
|
