Blocking Domain Unjoin

by Mitch Tulloch [Published on 17 May 2007 / Last Updated on 17 May 2007]

How to prevent users from removing their computers from the domain.

Domain users who are also members of the Administrators local group on their computers have the ability to remove their computers from the domain if they so choose. This would be bad of course, because it would mean that their machines would enter an unmanaged state (unaffected by Group Policy) and this would reduce their security and the security of user data stored on them.

How can you prevent users from unjoining their computers from the domain? Unfortunately, you can’t prevent by modifying user rights, you can only do it by removing their domain user account from the Administrators local group on their computers, which is yet another good reason for not granting users admin privileges over their machines. If your users already have admin privileges on their machines however, you could customize this script from the TechNet Script Repository and deploy it using Group Policy to remove users from the Administrators local group on their machines, but you should carefully test before you take this step as it can cause compatibility issues for some user applications if users are not admins on their machines.

***

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. For more information see www.mtit.com.

Featured Links