• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 336
  • Last Modified:

How do I restrict local admin from removing the domain from a workstation?

Hi,
I'm managing active directory on window server 2003, all of the machine  that are joined to domain are windows xp, so is there a way to restrict  the  users (local administrator) from removing the domain. I mean is it possible to have a specific accounts that have that ability. In other word I don't wont all local admin have this feature.

Best Regards,
                       Sara
0
smalhas
Asked:
smalhas
  • 2
  • 2
1 Solution
 
andrew_aj1Commented:
The best solution would be to prevent users from logging into the local administrator account. You can easily do this by putting a password on this account. Then they will have to use their domain account to log in - which will not have the ability to remove the computer from the domain.
I hope this helps. Good luck.
0
 
smalhasAuthor Commented:

Hi,
Thank you for your replay, sorry i wasn't clear I mean to restrict based on those situations:

1- A user granted local administrator privilege on his domain account.
2- A user mange to know our local administrator password
0
 
andrew_aj1Commented:
1. You should be able to restrict users from opening the system properties using Group Policy. This will stop them from being able to access where they can remove the computer from the domain.
2. Use a good password. If a user guessed the Domain administrator password they could take down the whole network.
0
 
oBdACommented:
Sorry, it's just not possible.
A local administrator can do *whatever* he wants on the machine; that's the purpose of this account. You can't take permissions away from a local administrator, at least none that he couldn't regain--again, this is the *purpose* of any account in the administrators group: total control.
If the user in question is unexperienced enough to remove a domain machine from the domain, then he shouldn't be in the administrators group to start with, because he can do *way* more damage than just removing the machine from the domain, willingly or not.
0
 
oBdACommented:
smalhas,
the reason you're giving for wanting to delete the question is the answer I gave above: it's not possible.
Please check EE's help on this:
I: Asking Questions > The correct answer to some questions is "You can't do that."
http://www.experts-exchange.com/help.jsp#hi405
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now