Prevent Users from leaving the Domain

[leffe5438]

Hi,
Is there any way to prevent that users can leave a domain
and joining a Workgroup. Even if the User is member of the
local Administrator group.

I tried to accomplish this through the User Right
Assigment - Add workstations to domain but if the user is
member of the local Admin group it don't work.

 

[Dusko Savatovic]

When user is a member of Local Administrators group then he/she can do
whatever he/she likes including, but not limited to disjoining computer
from domain.

If you are domain admin for your company then you may consider this.
Ordinary users are allowed to join workstation to domain ten times. You may
deny this privilege by using group policy.
You may consider creating written (paper) policy with the blessing of your
management. You may explain to them that personnel is disjoining
workstations on purpose to bypass security. The policy may state that some
small fee must be paid for subsequent joininig of workstations to domain.
The money collected may be given to some charity or used for some common
benefit.
Note
When workstation is disjoined from domain, a person using ws may create
local user account with same login id and password as domain account. In
that case he/she will be allowed to access resources in domain. To prevent
this, you may wish to:
a) install enterprise certificate authority
b)configure autoenrollment of certificates for workstations.
c)apply certificate to workstation
d)create policy that will deny acces to resources without valid certificate
(SMB signing).

Dusko Savatovic