Prevent users from changing domain name

  • Thread starter Thread starter Woody
  • Start date Start date
W

Woody

Hi All,

Doesn anyone know how to prevent users from changing the
domain (removing from domain) without preventing them
from changing IP Address.
Some of our users are required to have Static IP
Addresses.

Much Appreciated,
 
Hi,

This is controlled by user rights and as long as your users only have normal
user rights, they will not be able to do this.

Regards

Niclas
 
That is a tough one as those users are obviously local administrators on a
W2K box. XP Pro has the network configuration group that you can add users
to for the purpose of being able to change most network settings without
having to be an administrator.

There are a couple of things that you can try to help prevent that probelm.
Many users do not know what they can do as a local administrator while
others know all the tricks and will be next to impossible to stop, though a
signed tough user computer use policy with defined and enforced consequences
may help..

Use Group Policy to remove properties from the My Computer context menu.
This is done in user configuration/administrative templates/desktop. Then
hide system properties [if they need no access to it] from the control panel
in user configuration/administrative templates/control panel. Users still
could access sysdm.cpl to open system properties. To prevent that you would
have to change the ntfs permisions on that file to leave possibly only the
domain admins group [which can be done via Group Policy/computer
confiuration/file system]. Of course a local administrator can change ntfs
permissions. To deter that you can see the KB link below on how to use Group
Policy to remove the security tab from domain member computers. Other things
that you might try to do to limit the power of local administrators via
Group Policy, if it does not interfere with their funtionality, may include
disabling the command prompt and registry editing, restricting ntfs
permissions on other binaries on the computer such as the net and secedit
command, adding cmd.exe, command.com, install.exe, and setup.exe to the
disallowed Windows Applications as described in the second KB link and
restricting their access to mmc snapins [particularly lusrmgr.msc]. Again
it is very hard to restrict a local administrator, but some or all of these
suggestions may be worth a try. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;303153
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
 
Hi Steven,

Thank you for suggestions!!
Currently all our user's all local admins of there
machines. This is something we are trying to move away
from as much as possible without effecting there work.
I will go through all your suggeestions and let you know
how I get on...

Much Appreciated,
-----Original Message-----
That is a tough one as those users are obviously local administrators on a
W2K box. XP Pro has the network configuration group that you can add users
to for the purpose of being able to change most network settings without
having to be an administrator.

There are a couple of things that you can try to help prevent that probelm.
Many users do not know what they can do as a local administrator while
others know all the tricks and will be next to impossible to stop, though a
signed tough user computer use policy with defined and enforced consequences
may help..

Use Group Policy to remove properties from the My Computer context menu.
This is done in user configuration/administrative templates/desktop. Then
hide system properties [if they need no access to it] from the control panel
in user configuration/administrative templates/control panel. Users still
could access sysdm.cpl to open system properties. To prevent that you would
have to change the ntfs permisions on that file to leave possibly only the
domain admins group [which can be done via Group Policy/computer
confiuration/file system]. Of course a local administrator can change ntfs
permissions. To deter that you can see the KB link below on how to use Group
Policy to remove the security tab from domain member computers. Other things
that you might try to do to limit the power of local administrators via
Group Policy, if it does not interfere with their funtionality, may include
disabling the command prompt and registry editing, restricting ntfs
permissions on other binaries on the computer such as the net and secedit
command, adding cmd.exe, command.com, install.exe, and setup.exe to the
disallowed Windows Applications as described in the second KB link and
restricting their access to mmc snapins [particularly lusrmgr.msc]. Again
it is very hard to restrict a local administrator, but some or all of these
suggestions may be worth a try. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us%3b303153
http://support.microsoft.com/default.aspx?scid=kb;en-
Click to expand...
us;323525

Hi All,

Doesn anyone know how to prevent users from changing the
domain (removing from domain) without preventing them
from changing IP Address.
Some of our users are required to have Static IP
Addresses.

Much Appreciated,
Click to expand...


.
Click to expand...
 
Back
Top