Our intentions are to secure our windows XP machines, we are a large company using active directory on Server 2003. We are trying to prevent domain users with local admin rights from creating a local account and being able to remove the PC from the domain. We have removed the user accounts shortcut from control panel and locked down Local users and Groups in computer management and the MMC console and restricted the use of Regedit. We need to accomplish two more things and I think we will have accomplished our goal.
First prevent the use of the Net User command or any other command that can be used to create an account at the command line. So that is my first question. How do I do that using active directory?
Second, there is a post on this site that says you cannot prevent a local admin from removing a pc from the domain. I am thinking that if I can use a policy to remove the computer name tab from System Properties I will have essentially accomplished this. Am I wrong? And if this will work how do I do it?