Preventing Users from removing their PC from the Domain

[rndinit9]

Currently users are able to remove their PC's from the domain w/o being
prompted for a DomainAdmin username/pass. This is becomming a problem.
How can I set it that in order for a PC to be removed from the domain,
that a domain admin username & password must be entered.

Your help is appreciated.

 

[rndinit9]

Currently users are able to remove their PC's from the domain w/o being
prompted for a DomainAdmin username/pass. This is becomming a problem.
How can I set it that in order for a PC to be removed from the domain,
that a domain admin username & password must be entered.

Your help is appreciated.

To add some info: The DC is Windows 2000

 

[Steven L Umbach]

A user needs to be a local administrator in order to remove their computer
from the domain. So the obvious answer is to not allow the user to be a
local administrator and look at ways for the user to function as needed
without being a local administrator. I know that may not always be possible.
There is no magic bullet to prevent local administrators from removing their
computer from the domain as local administrators by definition and design
are all powerful on their computer. About the best you can do is to have a
strict user policy that users sign and understand and that removing
computers from the domain is prohibited. You can also use Group Policy to
try and hide access to ways a user would use to remove their computer from
the domain if it does not interfere with their needed access to the
operating system. Group Policy can be used to hide or remove access to
Control Panel applets such as System which is probably what most users use.
That will not work however for skilled and determined users. --- Steve

 

[rndinit9]

thank you Steven, however I logged on as a non local administrator. To
be more specific a user.
The user does not have any privlidges what so ever. They cannot install
or uninstall software, but im willing to bet that even the guest
account (disabled by default) would be able to remove the PC from the
domain.

The funny thing is, when it prompts the user for a user name or
password, if you leave those fields blank and hit ok, it will work. And
the PC is removed from the domain. Would appreciate more replies.

 

[Steven L Umbach]

I have seen the behavior where you don't need to enter valid credentials if
you are logged on as a local administrator. Whenever I have not been logged
on as a user that is not in the local administrators group either explicitly
or by group membership I can not even access the change name or network ID
settings as they are grayed out and a message shows that only a local
administrator can do such. I would double check that you are not logged on
as a user that is also a local administrator whether that be a domain
account or a local account. I would try it again but before hand it would
help if you could post in a reply the results for the whoami /groups command
for the logged on user that can remove the computer from the domain and the
command net localgroup administrators. Whoami can be downloaded from
Microsoft and I believe it is a RK tool. --- Steve

 

[rndinit9]

Your right Steven,

I did find the user in the local admin group. So I suppose I have the
following tasks:

1.) Change all the local admin passwords
2.) Remove all users from localadmin groups
3.) Harden our security to the best of my ability

My problem is considered solved. However one last question.

Is there a way I can force valid authentication to be required to
remove a PC from a domain?

That would mean even if I'm a Domain Admin, and logged in such I would
still want windows to force me to type in my password.

Not sure if this would be of good use, but Im curious if I can force
this behavior.

Thanks again Steven.

 

[Steven L Umbach]

Before you go and remove all users from the local administrators group,
which I think is usually a great idea, just make sure no problems arise in
that they can not do their jobs such as not being able to run a legacy
application though often such applications can work for a regular user with
some tweaking of folder and possibly registry permissions but not always.
You can also use Group Policy Restricted Groups to manage membership of
local computer groups on domain computers such as administrators and power
users. If you want to consider that then be sure to implement Restricted
Groups at the Organizational Unit level instead of the domain level for that
purpose and understand that Restricted Groups can remove all existing
members of the Restricted Group and replace them with the users/groups you
specify and that such change of removing existing members is not reversible
simply be removing the Restricted Group, Group Policy setting. To answer
your question it is not possible to require any special credentials to
remove a computer from the domain - the user just needs to be a local
administrator. The link below explains more about using Group Policy
Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html ---
Group Policy Restricted Groups
http://www.sysinternals.com/Utilities/PsPasswd.html --- this can help in
changing local account passwords

 

[rndinit9]

Thanks again Steven, I get starting on reading that right away. =)
You've provided some very usefull info.

 

[Roger Abell [MVP]]

Entering, or not, valid domain credentals at the domain prompt
during a disjoin in my experience only impacts whether the computer
object is removed, or not.
But I agree, local admin should be required in either event.

 

[Steven L Umbach]

Cool! Now I know why it prompts for credentials. --- Steve

 

[rndinit9]

So youre saying:

If valid credentials are entered -> PC leaves domain, and Active
Directory Object is deleted
Invalid Credentials/none entered -> PC leaves domain but Object is not
delted from Active Directory.

Correct ?

 

[Roger Abell [MVP]]

So youre saying:

If valid credentials are entered -> PC leaves domain, and Active
Directory Object is deleted
Invalid Credentials/none entered -> PC leaves domain but Object is not
delted from Active Directory.

Correct ?

That has been my experience, W2k3 native forest.

 

[Roger Abell [MVP]]

Perhaps I should clarify further.
It is the machine local admin that controls disposition of the machine
relative to domain or workgroup membership. The local admin can
only join if they have that delegation in domain or machine account
was precreated. After a disjoin, that same remains true, whether
valid domain credentials were or were not provided so that the
computer object was deleted during the disjoin. If such credentials
were not provided, the computer object remains, but it must first
be reset before it could be used for a (re)join. I have noticed that
when the computer object remains, it is disabled. I have not (yet)
chased down exactly when this disabling occurs, in context of what
account, but you will notice the object displayed with the round red x

 

[Joe Richards [MVP]]

You can't prevent an admin (or really anyone with local physical access)
on a machine from removing it from a domain. The credentials supplied
when it asks for credentials are simply to disable the account in the
domain. They are not required, if the computer can't disable the account
in AD, it will simply disjoin from the domain locally and leave the
domain account enabled.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[rndinit9]

In regards to what really happens when a PC leaves the domain. I liked
your answer the most, because it was clear and simple.

 

[Roger Abell [MVP]]

Hey Joe,

just fyi ...

It took me a while to remember to check this, but it is as I had
posted, i.e. without the credentials the computer account is just
disabled, but with them it is removed.

 

[Joe Richards [MVP]]

Hey Roger, I think it may vary based on bin levels... My primary
experience has been as I indicated, disabled if creds given, left
enabled when creds not given.

Consider this... When I look at a computer object in my AD, the
permissions granted to SELF wouldn't allow the computer to disable
itself. It wouldn't have permission to.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Roger Abell [MVP]]

Hi Joe, Good 4th I hope.
Per your comments on the cred, yep, and as I mentioned in other
post of this thread, I have not dug in to see how this is possible,
that (in W2k3 native domain/forest) without creds the account
ends up disabled. I guess I have to carve out the time . . .
Never-the-less, last week I finally have situation that reconfirmed
the behavior.
Roger

 

[Joe Richards [MVP]]

Odd... I just retested with an XP SP2 client in an R2 forest... Same
results, no disable if no creds, disable with creds.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Roger Abell [MVP]]

Odd and interesting . . .
non-R2 vs R2 ??

Odd... I just retested with an XP SP2 client in an R2 forest... Same
results, no disable if no creds, disable with creds.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm