Dear Sir,How to prevent a ordinary domain user to join domain computer to a workgroup? I have gone through the group policy and found " Add workstation to domain" policy , this helps me only to prevent the ordinary user to join 'from workgroup to domain' but not 'from domain to workgroup'Please any one help me .Thanks and RegardsAbdul Rahuman.M

Hi,As far as I know, ss long as the domain user is not a member of the computer's local administrators group, he should not be able to disjoin the machine from the domain. You should try to implement the principle of least privilege to user accounts and not just grant administrative rights to your users:Applying the Principle of Least Privilege to User Accountshttp://technet.microsoft.com/en-us/library/bb456992.aspx.Regards,Salvador Manaois IIIMCITP | Enterprise & Server AdminMCSE MCSA MCTS CIWA C|EHBytes & Badz: http://badzmanaois.blogspot.com

Hi,As Salvador explained, a Domain user without administrator rights cannot dejoin a computer. If the user are already Local Administrators, you can use Computer Startup script to remove them from Local Administrator Group or use Restricted Group to reset Local Administrator group.For more information about Restricted Groups, please refer to the following article.Restricted Groupshttp://technet.microsoft.com/en-us/library/cc785631.aspx Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

hi, thanks for your reply, i was in vacation and i couldnt able to read ur replies. Many of our users are local administrator since they are managers. What i do in this case? they simply disjoin their computers and calling me for joining again. how to stop this? Regards Abdul Rahuman.M

Hi Salvador, I'm having the opposite problem. I want to prevent people using domain user account from joining the domain. So explicitly, using only Domain Administrators account to successfully join the domain. Please tell me how? Pardon for my poor English. Thank you.Regards, Rafael Hengky