Prevent users from joining machines to workgroups

[JBorecky]

I am the admin of a 2003 Domain. I have several users that need local admin rights on the box. <---(Developers go figure). These users keep removing themselves from the domain.(Grrr) Is there a Group Policy setting I can set to prevent them from doing this? Or a reg key I can change the permissions on? I know that I can change their membership to Power Users instead. But this would not be politically correct. And I would lose that battle. It seems to me that this is a logical setting but I can't find it anywhere in the GPO Settings. I also thought about a policy hash restriction against netdom. But am unsure which utility to restrict to include the GUI. Thanks in advance for any suggestions or answers.

 

[markdmac]

You could create a policy for the developers and block the running of Netdom simply by name. Since it is a MS signed utility, even if they rename the EXE the GPO would still block it.

I hope you find this post helpful.

Regards,

Mark

 

[markdmac]

You could also block their access to Control Panel System Applet but they may screem about that.

I hope you find this post helpful.

Regards,

Mark

 

[JBorecky]

But does the GUI under system properties use netdom also?

 

[markdmac]

No that is why I was recommending you block the applet in addition to netdom.

I hope you find this post helpful.

Regards,

Mark