Prevent Users from removing XP Workstation from Win2K Domain

M

MR-KEN

When a user removed an XP machine from a domain, they are prompted for a
username and password. I thought this was a great feature, assuming that
only a member of the Domain could remove the computer. This isn't the case.
You can even enter a false user account and it will still remove itself
from the Domain.

I know that there is a policy to prevent users from adding machines to the
domain, but is there a policy to prevent them from removing machines from
the domain?

Thank you.
 
M

Madhur Ahuja

MR-KEN said:
When a user removed an XP machine from a domain, they are prompted
for a username and password. I thought this was a great feature,
assuming that only a member of the Domain could remove the computer.
This isn't the case. You can even enter a false user account and it
will still remove itself from the Domain.


This is not true. how can a user with false credentials remove a computer
from the domain.
I know that there is a policy to prevent users from adding machines
to the domain, but is there a policy to prevent them from removing
machines from the domain?

Thank you.



--
Winners dont do different things, they do things differently.

Madhur Ahuja
India

Homepage : http://madhur.netfirms.com
Email : madhur<underscore>ahuja<at>yahoo<dot>com
 
T

Torgeir Bakken \(MVP\)

Madhur said:
This is not true. how can a user with false credentials remove
a computer from the domain.
Hi

Actually, it is true. You don't even have to enter a user name at
all in the authentication box that pops up, it is good enough to
just press the OK button (you may need to do it a couple of times
if the dialog box repeat itself).

The authentication is only used for trying to disable the computer
account entry in AD, and not for the actual local unjoining from
the domain.
 
B

Bob Qin [MSFT]

Hello,

Thanks for your posting here.

Torgeir is right. In fact, only the account in local adminsitrators group
can remove a computer from domain. If you do not want to let users to
remove computer from domain, you can just move them out of Local
Administrators group and move them to users group.

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
Subject: Prevent Users from removing XP Workstation from Win2K Domain
From: "MR-KEN" <[email protected]>
Date: Fri, 17 Sep 2004 16:42:02 GMT
Newsgroups: microsoft.public.win2000.general

When a user removed an XP machine from a domain, they are prompted
for a
username and password. I thought this was a great feature, assuming
that
only a member of the Domain could remove the computer. This isn't
the case.
You can even enter a false user account and it will still remove
itself
from the Domain.

I know that there is a policy to prevent users from adding machines
to the
domain, but is there a policy to prevent them from removing machines
from
the domain?

Thank you.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top