none
User restrictions to Join & Remove computer from Domain

    Question

  • we don't have NAP/NAC Solution in our environment; we make Group policies like blocking removable devices etc but clients can remove computers from domain and start using these devices. 

    If a user logged in with local Admin account can come out of domain and join to Workgroup with fake username password.

    i need solution to achieve:

    1. User Can join Computer to Domain but no removal

    2. Grey out WORKGROUP Radio Button for Computer joined to domain

    3. If local admin user logged in to Domain joined computer shouldn't able to remove computer from domain

    I have one more Questions that hows it possible (With Current resources) that computers must be in domain for accessing any internal web base application?

    Thank you.

    Monday, February 6, 2017 8:01 PM

All replies

  • Hi

    1. User Can join Computer to Domain but no removal >>> Only administrative accounts and has delegate permission accounts join computers to domain.

    2. Grey out WORKGROUP Radio Button for Computer joined to domain >>> Standard user accounts do not have join computer to domain rights.

    3. If local admin user logged in to Domain joined computer shouldn't able to remove computer from domain >>> You should configure "Deny logon locally" Gpo;(this config solve your problem i think..)

    https://technet.microsoft.com/en-us/library/cc957048.aspx?f=255&MSPPError=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, February 6, 2017 8:27 PM
  • Hi

    1. User Can join Computer to Domain but no removal >>> Only administrative accounts and has delegate permission accounts join computers to domain.

    2. Grey out WORKGROUP Radio Button for Computer joined to domain >>> Standard user accounts do not have join computer to domain rights.

    3. If local admin user logged in to Domain joined computer shouldn't able to remove computer from domain >>> You should configure "Deny logon locally" Gpo;(this config solve your problem i think..)

    https://technet.microsoft.com/en-us/library/cc957048.aspx?f=255&MSPPError=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thank you Burak.

    1. I have no issues with joining computers to domain, I want to restrict users to un-join computers from domain (Like Local Admin)

    2. Is there any GPO or Possibility to hide/Disable/Gray out "workgroup" option for Computers members of Domain?

    3. "Deny Login Locally" is OK but we cannot implement in our Environment because lot of users using local accounts and preventing them in one shot isn't easy for us.

     
    Monday, February 6, 2017 8:40 PM
  • Unfortunalety local admins has administrative rights,so they can do anything on local computers,that's why called "Administrators"..

    You can remove all local admins from computers(with restricted gpo) then just add the necessary accounts to local admins group.That's the way i guess on your situation.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, February 7, 2017 7:42 AM
  • Hello,

    As correctly stated by Burak Uğur "remove computer from domain" operation requires local administrative permissions on the computer itself and thus can only be restricted if you tightly control local admins membership.

    /Regards

    Tuesday, February 7, 2017 1:33 PM
  • If i want "Deny login locally" through GPO for all users for all the local users except "Administrator" user even members of administrators group, what i have to do?

    "Allow login locally" for BUILTIN/administrator is not working... What is correct username/group-name that should be added here.

    Tuesday, February 7, 2017 8:20 PM
  • Hi,

    I doubt that it could be done, as members of administrators group are actually “administrators”.

    In my experience, you could control the numbers of the local accounts and keep it as less as possible and don’t let users know the local account.

    Here is a similar thread, you could refer to: http://superuser.com/questions/833507/is-there-any-method-in-domain-network-that-only-prevent-local-users-accountcl

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 10, 2017 2:06 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 13, 2017 9:43 AM
    Moderator