How to Restrict Domain Users Disjoining Computers from Domain?

Eyasu Birhanu 0 Reputation points
2024-10-09T14:26:42.71+00:00

Why domain users can disjoin on the AD domain?, How can I deny any one from dis joining or leave domain and back to work group by GPO or any other way?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,678 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,268 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Thomas Nielsen 141 Reputation points
    2024-10-09T16:39:08.5966667+00:00
    0 comments No comments

  2. Wesley Li 10,250 Reputation points
    2024-10-10T15:17:58.3366667+00:00

    Hello

    To restrict domain users from disjoining computers from the domain, you can use Group Policy Objects (GPOs) to enforce security settings. Here are the steps you can follow:

     

    Modify User Rights Assignment: Ensure that only authorized users have the right to remove computers from the domain.

    Open the Group Policy Management Console (GPMC).

    Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

    Find the policy Remove computer from docking station and ensure that only authorized users or groups are listed.

     

    Restrict Local Administrator Rights: Ensure that domain users do not have local administrator rights on their machines, as this can allow them to disjoin the computer from the domain.

    Use Restricted Groups in GPO to control membership of the local Administrators group.

    Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.

    Add the Administrators group and specify the members who should be part of this group.

     

    Use Security Filtering: Apply the GPO to specific Organizational Units (OUs) where you want to enforce these restrictions.

    In the GPMC, create a new GPO or edit an existing one.

    Link the GPO to the desired OU.

    Use security filtering to apply the GPO to specific groups or users.

     

    Monitor and Audit: Regularly monitor and audit the domain join and leave activities.

    Enable auditing for account management in the GPO.

    Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management.

    Enable auditing for User Account Management and Computer Account Management.

     

    By following these steps, you can effectively restrict domain users from disjoining computers from the domain and ensure that only authorized personnel have the necessary permissions to perform such actions.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.