How do I restrict local admin from removing the domain from a workstation?

Posted on 2008-11-07
Last Modified: 2012-06-27
I'm managing active directory on window server 2003, all of the machine  that are joined to domain are windows xp, so is there a way to restrict  the  users (local administrator) from removing the domain. I mean is it possible to have a specific accounts that have that ability. In other word I don't wont all local admin have this feature.

Best Regards,
Question by:smalhas
    LVL 24

    Expert Comment

    The best solution would be to prevent users from logging into the local administrator account. You can easily do this by putting a password on this account. Then they will have to use their domain account to log in - which will not have the ability to remove the computer from the domain.
    I hope this helps. Good luck.

    Author Comment


    Thank you for your replay, sorry i wasn't clear I mean to restrict based on those situations:

    1- A user granted local administrator privilege on his domain account.
    2- A user mange to know our local administrator password
    LVL 24

    Expert Comment

    1. You should be able to restrict users from opening the system properties using Group Policy. This will stop them from being able to access where they can remove the computer from the domain.
    2. Use a good password. If a user guessed the Domain administrator password they could take down the whole network.
    LVL 82

    Accepted Solution

    Sorry, it's just not possible.
    A local administrator can do *whatever* he wants on the machine; that's the purpose of this account. You can't take permissions away from a local administrator, at least none that he couldn't regain--again, this is the *purpose* of any account in the administrators group: total control.
    If the user in question is unexperienced enough to remove a domain machine from the domain, then he shouldn't be in the administrators group to start with, because he can do *way* more damage than just removing the machine from the domain, willingly or not.
    LVL 82

    Expert Comment

    the reason you're giving for wanting to delete the question is the answer I gave above: it's not possible.
    Please check EE's help on this:
    I: Asking Questions > The correct answer to some questions is "You can't do that."

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
    Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now