<div>
<div class="content wysiwyg-content">
Our intentions are to secure our windows XP machines, we are a large company using active directory on Server 2003. &nbsp;We are trying to prevent domain users with local admin rights from creating a local account and being able to remove the PC from the domain. &nbsp; We have removed the user accounts shortcut from control panel and locked down Local users and Groups in computer management and the MMC console and restricted the use of Regedit. &nbsp;We need to accomplish two more things and I think we will have accomplished our goal. &nbsp;<br />
<br />
First prevent the use of the Net User command or any other command that can be used to create an account at the command line. &nbsp;So that is my first question. &nbsp;How do I do that using active directory?<br />
<br />
Second, there is a post on this site that says you cannot prevent a local admin from removing a pc from the domain. &nbsp;I am thinking that if I can use a policy to remove the computer name tab from System Properties &nbsp;I will have essentially accomplished this. &nbsp;Am I wrong? &nbsp;And if this will work how do I do it?
</div>
</div>


Our intentions are to secure our windows XP machines, we are a large company using active directory on Server 2003.  We are trying to prevent domain users with local admin rights from creating a local account and being able to remove the PC from the domain.   We have removed the user accounts shortcut from control panel and locked down Local users and Groups in computer management and the MMC console and restricted the use of Regedit.  We need to accomplish two more things and I think we will have accomplished our goal.  

First prevent the use of the Net User command or any other command that can be used to create an account at the command line.  So that is my first question.  How do I do that using active directory?

Second, there is a post on this site that says you cannot prevent a local admin from removing a pc from the domain.  I am thinking that if I can use a policy to remove the computer name tab from System Properties  I will have essentially accomplished this.  Am I wrong?  And if this will work how do I do it?

Need help with Active Directory policies

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).