restricting User to join domain
I have one problem. I am using windows 2008R2 on client win7. I had created users in AD. After joining to domain, The users can change form domain to workgroup without any help of admin By using there user name and Password. So how can i restric them so that they cant change to workgroup without permision of Administrator. One more thing that user have local administartor rights.
October 20th, 2010 8:22am

Hi, you can modify visibility of "computer name tab" in registry with a logon script. Take a look at this link http://thedailyreviewer.com/windowsxp/view/computer-name-tab-disabled---how-can-i-enablie-it-back-101376768 HTHEdoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 9:21am

Hello Aziz.mcsa, By default, any authenticated user can join computers to the domain is limited by the value of ms-DS-MachineAccountQuota attribute, set by default to 10. Default limit to number of workstations a user can join to the domain http://support.microsoft.com/kb/243327 And if you'd like to prevent domain user which is member of local administrator group from changing computer to workgroup, please refer to the following thread: prevent user to join domain computer to workgroup http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/00f77493-d0d3-4956-9b7a-536b8a04c7bb Brent Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
October 25th, 2010 5:57am

Hello Aziz.mcsa, By default, any authenticated user can join computers to the domain is limited by the value of ms-DS-MachineAccountQuota attribute, set by default to 10. What is the minimum privilege to join client PC to AD Domain? http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/27490147-f922-49d0-b105-4cc0a10c9324 Default limit to number of workstations a user can join to the domain http://support.microsoft.com/kb/243327 BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 5:57am

Hello Aziz.mcsa, By default, any authenticated user can join computers to the domain is limited by the value of ms-DS-MachineAccountQuota attribute, set by default to 10. Hi Brent, i think that the problem of Aziz.mcsa would be that domain users can disjoin clients from domain and not if domain users can join clients to domain.Edoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org
October 25th, 2010 7:41am

Hi Edoardo, Thank for your reminding. As you know, user have local administrator rights now, they can also log on to their computer as local administrator credential, in that case, the logon script is not work for local administrator account, they still can join the computer to workgroup. I think we should restrict disjoin or join domin from privilege of domain user if possible. BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 11:23am

Hi Edoardo, Thank for your reminding. As you know, user have local administrator rights now, they can also log on to their computer as local administrator credential, in that case, the logon script is not work for local administrator account, they still can join the computer to workgroup. I think we should restrict privilege of domain user from changing its domain or workgroup if possible. Brent Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
October 26th, 2010 7:14am

Hi Brent, we are saying the same thing in two different ways ;-) Edoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 4:09pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics