How do I restrict local admin from removing the domain from a workstation?

Posted on 2008-11-07
Medium Priority
Last Modified: 2012-06-27
I'm managing active directory on window server 2003, all of the machine  that are joined to domain are windows xp, so is there a way to restrict  the  users (local administrator) from removing the domain. I mean is it possible to have a specific accounts that have that ability. In other word I don't wont all local admin have this feature.

Best Regards,
Question by:smalhas
  • 2
  • 2
LVL 24

Expert Comment

ID: 22911224
The best solution would be to prevent users from logging into the local administrator account. You can easily do this by putting a password on this account. Then they will have to use their domain account to log in - which will not have the ability to remove the computer from the domain.
I hope this helps. Good luck.

Author Comment

ID: 22911250

Thank you for your replay, sorry i wasn't clear I mean to restrict based on those situations:

1- A user granted local administrator privilege on his domain account.
2- A user mange to know our local administrator password
LVL 24

Expert Comment

ID: 22911263
1. You should be able to restrict users from opening the system properties using Group Policy. This will stop them from being able to access where they can remove the computer from the domain.
2. Use a good password. If a user guessed the Domain administrator password they could take down the whole network.
LVL 85

Accepted Solution

oBdA earned 750 total points
ID: 22912715
Sorry, it's just not possible.
A local administrator can do *whatever* he wants on the machine; that's the purpose of this account. You can't take permissions away from a local administrator, at least none that he couldn't regain--again, this is the *purpose* of any account in the administrators group: total control.
If the user in question is unexperienced enough to remove a domain machine from the domain, then he shouldn't be in the administrators group to start with, because he can do *way* more damage than just removing the machine from the domain, willingly or not.
LVL 85

Expert Comment

ID: 23021033
the reason you're giving for wanting to delete the question is the answer I gave above: it's not possible.
Please check EE's help on this:
I: Asking Questions > The correct answer to some questions is "You can't do that."

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question