restricting User to join domain
I have one problem. I am using windows 2008R2 on client win7. I had created users in AD. After joining to domain, The users can change form domain to workgroup without any help of admin By using there user name and Password.
So how can i restric them so that they cant change to workgroup without permision of Administrator. One more thing that user have local administartor rights.
October 20th, 2010 8:22am
Hi,
you can modify visibility of "computer name tab" in registry with a logon script.
Take a look at this link
http://thedailyreviewer.com/windowsxp/view/computer-name-tab-disabled---how-can-i-enablie-it-back-101376768
HTHEdoardo Benussi - Microsoft MVP
Management Infrastructure - Systems Administration
https://mvp.support.microsoft.com/Profile/Benussi
Windows Server Italian Forum Moderator
edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 9:21am
Hello Aziz.mcsa,
By default, any authenticated user can join computers to the domain is limited by the value of ms-DS-MachineAccountQuota attribute, set by default to 10.
Default limit to number of workstations a user can join to the domain
http://support.microsoft.com/kb/243327
And if you'd like to prevent domain user which is member of local administrator group from changing computer to workgroup, please refer to the following thread:
prevent user to join domain computer to workgroup
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/00f77493-d0d3-4956-9b7a-536b8a04c7bb
Brent
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
October 25th, 2010 5:57am
Hello Aziz.mcsa,
By default, any authenticated user can join computers to the domain is limited by the value of ms-DS-MachineAccountQuota attribute, set by default to 10.
What is the minimum privilege to join client PC to AD Domain?
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/27490147-f922-49d0-b105-4cc0a10c9324
Default limit to number of workstations a user can join to the domain
http://support.microsoft.com/kb/243327
BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 5:57am
Hello Aziz.mcsa,
By default, any authenticated user can join computers to the domain is limited by the value of ms-DS-MachineAccountQuota attribute, set by default to 10.
Hi Brent,
i think that the problem of Aziz.mcsa would be that domain users can disjoin clients from domain and not if domain users can join clients to domain.Edoardo Benussi - Microsoft MVP
Management Infrastructure - Systems Administration
https://mvp.support.microsoft.com/Profile/Benussi
Windows Server Italian Forum Moderator
edo[at]mvps[dot]org
October 25th, 2010 7:41am
Hi Edoardo,
Thank for your reminding. As you know, user have local administrator rights now, they can also log on to their computer as local administrator credential, in that case, the logon script is not work for local administrator account, they still can join
the computer to workgroup. I think we should restrict disjoin or join domin from privilege of domain user if possible.
BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 11:23am
Hi Edoardo,
Thank for your reminding. As you know, user have local administrator rights now, they can also log on to their computer as local administrator credential, in that case, the logon script is not work for local administrator account, they still can join
the computer to workgroup. I think we should restrict privilege of domain user from changing its domain or workgroup if possible.
Brent
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
October 26th, 2010 7:14am
Hi Brent,
we are saying the same thing in two different ways ;-)
Edoardo Benussi - Microsoft MVP
Management Infrastructure - Systems Administration
https://mvp.support.microsoft.com/Profile/Benussi
Windows Server Italian Forum Moderator
edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 4:09pm