Should a user be able to unjoin from domain?

G

Guest

I have a user, who does have local admin and has managed to unjoin his laptop
from the domain and put into his own workgroup. Should he have been able to
unjoin from the domain without knowing a user name and password for someone
with domain admin security group membership?
 
R

Robert Moir

sysadmin said:
I have a user, who does have local admin and has managed to unjoin
his laptop from the domain and put into his own workgroup. Should he
have been able to unjoin from the domain without knowing a user name
and password for someone with domain admin security group membership?
Click to expand...

Of course he can. Local Admin rights mean that they own the machine that
they have those rights for, and can do whatever they like with it. He
hasn't modified the domain by joining his workstation to its own workgroup
instead of your domain, so rights on the domain are not relevant here.

This is just one of the reasons many people advise you not to give admin
rights to end users.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".
 
B

Bruce Chambers

sysadmin said:
I have a user, who does have local admin and has managed to unjoin his laptop
from the domain and put into his own workgroup. Should he have been able to
unjoin from the domain without knowing a user name and password for someone
with domain admin security group membership?
Click to expand...


If he has administrative privileges to the workstation, certainly. If
you don't want him doing such things, why does he have administrative
privileges?


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrum Russell
 
V

Vanguard

sysadmin guy said:
I have a user, who does have local admin and has managed to unjoin
his laptop
from the domain and put into his own workgroup. Should he have been
able to
unjoin from the domain without knowing a user name and password for
someone
with domain admin security group membership?
Click to expand...


The user can log into the domain or choose to login to a local
account. So apparently it is the property of the user or considered
such because they have local admin rights. So who really owns the
laptop?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Error when attempting to remove XP pro system from domain 1
how to unjoin a domain properly? 1
Broken PC-domain trust, forget local admin password 1
User able to create folders on network drive he had no permission 3
hide account from local users and groups in computer managment 1
Local admin rights while logged in to a domain. 3
Can't Unjoin Domain 12
w2k unjoin old / join new domain trouble 5

Top