Should a user be able to unjoin from domain?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a user, who does have local admin and has managed to unjoin his laptop
from the domain and put into his own workgroup. Should he have been able to
unjoin from the domain without knowing a user name and password for someone
with domain admin security group membership?
 
sysadmin said:
I have a user, who does have local admin and has managed to unjoin
his laptop from the domain and put into his own workgroup. Should he
have been able to unjoin from the domain without knowing a user name
and password for someone with domain admin security group membership?
Click to expand...

Of course he can. Local Admin rights mean that they own the machine that
they have those rights for, and can do whatever they like with it. He
hasn't modified the domain by joining his workstation to its own workgroup
instead of your domain, so rights on the domain are not relevant here.

This is just one of the reasons many people advise you not to give admin
rights to end users.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".
 
sysadmin said:
I have a user, who does have local admin and has managed to unjoin his laptop
from the domain and put into his own workgroup. Should he have been able to
unjoin from the domain without knowing a user name and password for someone
with domain admin security group membership?
Click to expand...


If he has administrative privileges to the workstation, certainly. If
you don't want him doing such things, why does he have administrative
privileges?


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrum Russell
 
sysadmin guy said:
I have a user, who does have local admin and has managed to unjoin
his laptop
from the domain and put into his own workgroup. Should he have been
able to
unjoin from the domain without knowing a user name and password for
someone
with domain admin security group membership?
Click to expand...


The user can log into the domain or choose to login to a local
account. So apparently it is the property of the user or considered
such because they have local admin rights. So who really owns the
laptop?
 
Back
Top