Policy to prevent that Users are able to disjoin Domain

[Klaus]

I'm looking for a policy for that Problem. My Users are
local admins on their PC's. Is there a policy to prevent
them from disjoining the W2K Domain?

regards, Klaus

 

[Simon Geary]

There is no predefined policy for this and as the users are local admins I
doubt it would be easy to write a custom template to do it.

One less than elegant solution would be to deny access to the System control
panel applet. You could write a custom GPO that would rename the .cpl file
or move it to a secret location known only to you. This would deny access to
the GUI functionality for disjoining domains as well as all the other
functions of System. Savvy users could still use nltest to join a different
domain though.

 

[Jimmy Harper [MSFT]]

Hi Klaus. One way to do this is to give the local admins group read-only
access to the following registry keys:

 

[Jimmy Harper [MSFT]]

(sorry, last message was accidentally sent before completing)

Hi Klaus. One way to do this is to give the local admins group read-only
access to the following registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerNa
me]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComp
uterName
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

Please note that this is not tested or supported by Microsoft (I am not sure
if it will cause any problems on the client machines....please test before
doing this).

Also, a local administrator could go into the registry and change the
permissions on these keys back to full control if they want. There is
really no way to prevent local administrators from doing anything on the
machine. Generally, if a user needs to be restricted in any way, they
should not be a local admin.