Re: Should a user be able to unjoin from domain?
- From: "Robert Moir" <robspamtrap+msnews@xxxxxxxxx>
- Date: Fri, 11 Aug 2006 18:21:00 +0100
sysadmin guy wrote:
I have a user, who does have local admin and has managed to unjoin
his laptop from the domain and put into his own workgroup. Should he
have been able to unjoin from the domain without knowing a user name
and password for someone with domain admin security group membership?
Of course he can. Local Admin rights mean that they own the machine that
they have those rights for, and can do whatever they like with it. He
hasn't modified the domain by joining his workstation to its own workgroup
instead of your domain, so rights on the domain are not relevant here.
This is just one of the reasons many people advise you not to give admin
rights to end users.
--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".
.
- Prev by Date: Re: Software counterfeiting?
- Next by Date: Re: service pack 3 for XP
- Previous by thread: Re: Software counterfeiting?
- Next by thread: Re: Should a user be able to unjoin from domain?
- Index(es):
Relevant Pages
|
