How do I restrict local admin from removing the domain from a workstation?

Hi,
I'm managing active directory on window server 2003, all of the machine  that are joined to domain are windows xp, so is there a way to restrict  the  users (local administrator) from removing the domain. I mean is it possible to have a specific accounts that have that ability. In other word I don't wont all local admin have this feature.

Best Regards,
                       Sara
smalhasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andrew_aj1Commented:
The best solution would be to prevent users from logging into the local administrator account. You can easily do this by putting a password on this account. Then they will have to use their domain account to log in - which will not have the ability to remove the computer from the domain.
I hope this helps. Good luck.
0
smalhasAuthor Commented:

Hi,
Thank you for your replay, sorry i wasn't clear I mean to restrict based on those situations:

1- A user granted local administrator privilege on his domain account.
2- A user mange to know our local administrator password
0
andrew_aj1Commented:
1. You should be able to restrict users from opening the system properties using Group Policy. This will stop them from being able to access where they can remove the computer from the domain.
2. Use a good password. If a user guessed the Domain administrator password they could take down the whole network.
0
oBdACommented:
Sorry, it's just not possible.
A local administrator can do *whatever* he wants on the machine; that's the purpose of this account. You can't take permissions away from a local administrator, at least none that he couldn't regain--again, this is the *purpose* of any account in the administrators group: total control.
If the user in question is unexperienced enough to remove a domain machine from the domain, then he shouldn't be in the administrators group to start with, because he can do *way* more damage than just removing the machine from the domain, willingly or not.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oBdACommented:
smalhas,
the reason you're giving for wanting to delete the question is the answer I gave above: it's not possible.
Please check EE's help on this:
I: Asking Questions > The correct answer to some questions is "You can't do that."
http://www.experts-exchange.com/help.jsp#hi405
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.