How can you prevent users from unjoining their computers from the domain? Unfortunately, you can’t prevent by modifying user rights, you can only do it by removing their domain user account from the Administrators local group on their computers, which is yet another good reason for not granting users admin privileges over their machines. If your users already have admin privileges on their machines however, you could customize this script from the TechNet Script Repository and deploy it using Group Policy to remove users from the Administrators local group on their machines, but you should carefully test before you take this step as it can cause compatibility issues for some user applications if users are not admins on their machines.
Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. For more information see www.mtit.com.