Prevent all from disjoin domain PC from domain except Domain admins

Hello Experts,

How can I deny any one from dis joining or leave domain and back to work group by GPO or any other way, I noticed that any local admin user can disjoin his PC or workstation from domain and when he asked for a username/password he cann press ok or cancle and the PC disjoind without problem and back to workgroup
ahmed_bqAsked:
Who is Participating?
 
ahmed_bqConnect With a Mentor Author Commented:
Hi guys,

I got a cool solution myself :)

I create a batch file that only allow full control access to a file called "netid.dll" in the path c:\windows\system32\netid.dll.

This batch hide the computerName Tab in system properties ... So they can not leave domain or change the computer name :)

To Hide:
cscript.exe /h:cscript
xcacls.vbs  %SystemRoot%\system32\netid.dll /P "MyDomain\domain admins":F /p system:F
cscript.exe /h:wscript

Open in new window

0
 
oBdACommented:
You can't, unless you don't make them local admins.
A local Administrator by definition can do with the machine as he pleases, including removing it from a domain.
This is a company policy question, nothing about an OS configuration; users who can't be trusted to not remove their machine from the domain shouldn't be local admins to start with.
0
 
merowingerCommented:
The only option i see is to not have users with local admin rights
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
vmwarun - ArunCommented:
Under Computer Configuration -> Windows Settings -> Security Settings -> User Rights Assignment, there is a policy that states "Add Workstations to domain" using which you can define who has got the rights to add the Workstation to the domain.
Also remove "Create Computer Objects permission on the Active Directory computers" container.
0
 
ahmed_bqAuthor Commented:
ok, what about powerusers ?
0
 
oBdACommented:
arunraju,
these are permissions to add a machine to a domain; the ability to disjoin the machine itself from the domain has nothing to do with this. You don't even need access to the domain if you want to disjoin it (luckily enough, otherwise a machine that was joined to a domain at some point could never be unjoined again if the domain goes offline before the machine was removed ...).
0
 
oBdACommented:
Power Users can't disjoin a machine.
0
 
vmwarun - ArunCommented:
oBdA : Thank you for the clear and concise explanation. I was under the impression that while disjoining a Computer from a domain, a check with the DC is done.
0
 
oBdACommented:
If the domain can be reached, and administrative permissions for the AD computer object are given, then the AD computer object will be disabled in AD while the machine is being removed. But these are independent operations, and a user can remove a machine from the domain at any time (whether the domain can be reached or not) if he has local admin permissions.
0
 
merowingerCommented:
lol nice workaround :)
0
 
ahmed_bqAuthor Commented:
Done
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.