none
Group Policy

    Question

  • Hi All,

    I'm using Windows Server 2008 r2. Please let me know about a policy where I want to restrict users from changing the domain on their system. I mean to say , I want the workgroup option and domain option to be greyed out , so that they don't change the domain they are connected to in the workstation. 

    Saturday, July 7, 2018 12:47 PM

Answers

  • Hi Dz.5678

    There is no policy that I know off that disable those options. The only way I know of greying out those options is by stopping / disabling the workstation service (This is from troubleshooting a domain join issue before). That is not really a recommend way to stop users from changing domain as it causes other issues as some services are dependant on that serivce. Limiting local admins is the best way. 


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    • Marked as answer by dz.5678 Monday, July 16, 2018 3:18 AM
    Friday, July 13, 2018 7:54 AM

All replies

  • Hi Dz.5678

    There is no policy to restrict changing domain joined device to a workgroup. You should just restrict who is a local admin and once the users dont have local admin rights they wont be able to change to a workgroup. 


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.


    Saturday, July 7, 2018 1:03 PM
  • Hi,

    To change a machine from domain to workgroup, the user must be member of local administrators group.

    To be sure that the user is not able to do change the domain of the machine, you can use GPO to  control the members of local administrators on members server and workstation by using the restricted Group   or via Group Policy preference:

    https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    Saturday, July 7, 2018 6:28 PM
  • Hi 

    You are talking about the administrative rights. I have a workstation at my office where I'm connected to a Company domain. I have the admin rights to install softwares and perform some tasks on my system, but I'm not allowed to change the domain to workgroup or vice-versa because the option is greyed out. There's a policy that has been applied. I Need to know about that policy as I'm testing at my home environment.

    thanks,

    Monday, July 9, 2018 3:43 AM
  • Waiting for a reply.
    Tuesday, July 10, 2018 12:48 PM
  • Waiting for a reply
    Wednesday, July 11, 2018 6:53 AM
  • Let me tell you about what I want - computer(right-click)-properties-Advanced system settings -computer name- change and network id option should be greyed out (disabled) so that nobody can change the domain to workgroup .

    It's as per Windows 7.

    Friday, July 13, 2018 7:26 AM
  • Hi Dz.5678

    There is no policy that I know off that disable those options. The only way I know of greying out those options is by stopping / disabling the workstation service (This is from troubleshooting a domain join issue before). That is not really a recommend way to stop users from changing domain as it causes other issues as some services are dependant on that serivce. Limiting local admins is the best way. 


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    • Marked as answer by dz.5678 Monday, July 16, 2018 3:18 AM
    Friday, July 13, 2018 7:54 AM