Re: Preventing Users from removing their PC from the Domain
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Fri, 30 Jun 2006 23:09:49 -0700
Hey Joe,
just fyi ...
It took me a while to remember to check this, but it is as I had
posted, i.e. without the credentials the computer account is just
disabled, but with them it is removed.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eYGgFMUmGHA.4700@xxxxxxxxxxxxxxxxxxxxxxx
You can't prevent an admin (or really anyone with local physical access)
on a machine from removing it from a domain. The credentials supplied when
it asks for credentials are simply to disable the account in the domain.
They are not required, if the computer can't disable the account in AD, it
will simply disjoin from the domain locally and leave the domain account
enabled.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
rndinit9@xxxxxxxxx wrote:
Currently users are able to remove their PC's from the domain w/o being
prompted for a DomainAdmin username/pass. This is becomming a problem.
How can I set it that in order for a PC to be removed from the domain,
that a domain admin username & password must be entered.
Your help is appreciated.
.
- Follow-Ups:
- Re: Preventing Users from removing their PC from the Domain
- From: Joe Richards [MVP]
- Re: Preventing Users from removing their PC from the Domain
- Prev by Date: Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
- Next by Date: Re: IIS FTP Password Problems
- Previous by thread: Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
- Next by thread: Re: Preventing Users from removing their PC from the Domain
- Index(es):
Relevant Pages
|
|
