asked on

How do I restrict local admin from removing the domain from a workstation?

Hi,
I'm managing active directory on window server 2003, all of the machine that are joined to domain are windows xp, so is there a way to restrict the users (local administrator) from removing the domain. I mean is it possible to have a specific accounts that have that ability. In other word I don't wont all local admin have this feature.

Best Regards,
Sara

andrew_aj1

The best solution would be to prevent users from logging into the local administrator account. You can easily do this by putting a password on this account. Then they will have to use their domain account to log in - which will not have the ability to remove the computer from the domain.
I hope this helps. Good luck.

smalhas

ASKER

Hi,
Thank you for your replay, sorry i wasn't clear I mean to restrict based on those situations:

1- A user granted local administrator privilege on his domain account.
2- A user mange to know our local administrator password

andrew_aj1

1. You should be able to restrict users from opening the system properties using Group Policy. This will stop them from being able to access where they can remove the computer from the domain.
2. Use a good password. If a user guessed the Domain administrator password they could take down the whole network.

ASKER CERTIFIED SOLUTION

oBdA

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

oBdA

smalhas,
the reason you're giving for wanting to delete the question is the answer I gave above: it's not possible.
Please check EE's help on this:
I: Asking Questions > The correct answer to some questions is "You can't do that."
https://www.experts-exchange.com/help.jsp#hi405