Re: Prevent Users from leaving the Domain

From: Dusko Savatovic (savatovic.removespam_at_hotmail.com)
Date: 03/04/04 

Date: Thu, 4 Mar 2004 15:32:25 +0100

When user is a member of Local Administrators group then he/she can do
whatever he/she likes including, but not limited :-) to disjoining computer
from domain.

If you are domain admin for your company then you may consider this.
Ordinary users are allowed to join workstation to domain ten times. You may
deny this privilege by using group policy.
You may consider creating written (paper) policy with the blessing of your
management. You may explain to them that personnel is disjoining
workstations on purpose to bypass security. The policy may state that some
small fee must be paid for subsequent joininig of workstations to domain.
The money collected may be given to some charity or used for some common
benefit.
Note
When workstation is disjoined from domain, a person using ws may create
local user account with same login id and password as domain account. In
that case he/she will be allowed to access resources in domain. To prevent
this, you may wish to:
a) install enterprise certificate authority
b)configure autoenrollment of certificates for workstations.
c)apply certificate to workstation
d)create policy that will deny acces to resources without valid certificate
(SMB signing).

Dusko Savatovic

"leffe5438" <anonymous@discussions.microsoft.com> wrote in message
news:6e5c01c401c2$fa076b90$a101280a@phx.gbl...
> Hi,
> Is there any way to prevent that users can leave a domain
> and joining a Workgroup. Even if the User is member of the
> local Administrator group.
>
> I tried to accomplish this through the User Right
> Assigment - Add workstations to domain but if the user is
> member of the local Admin group it don't work.
>
>
>
>
>
>
>
>
>
>

Relevant Pages

  • Re: SBS Network Configuration Wizard
    ... or are these workstations already members of the ... SBS domain and logged on? ... workstation is already a member of the SBS domain ... > the network now to try again and click Yes when prompted. ...
    (microsoft.public.windows.server.sbs)
  • Re: New workstatiosn, users can no longer install software -using Acti
    ... domain that the user must be a member of the Local Administrators group (not ... Authenicated Users and make them member of the local admin group. ... > Problem is users can not install programs, ... > Now 2 of the workstations were existing XP. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Local Admin on desktops
    ... add the user accounts that you want to be administrators on the workstations to this group ... "The Member Of list specifies groups in which the restricted group is ... If you remove a group from the Member Of list, the restricted group is ... administrators) without giving them Domain Admin privelidges? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon Script?
    ... up firefox so users can hit the company web based app automagically when they log in. ... "Member" server or workstation - a member of a domain ... Running FC4 workstations on a TCP/IP network in a primarily windows environment with samba, but not members of the local Windows AD domain. ...
    (alt.os.linux.redhat)
  • Re: Restrict Client PC Date & Time Changes
    ... Just take the domain users out of the local administrators group on the ... You are syncing the workstations with the server, ... > all the client PC are XP Pro. ...
    (microsoft.public.windows.server.sbs)