How can i prevent domain users from removing joined computers from domain?

Hana Wudu 0 Reputation points
2024-10-24T07:20:35.6033333+00:00

Hello there,

I got issue which is domain users are able to disjoin from domain without any issue. They don't have local admin privilege and when I pass the request to enter to system property with my local admin account and after i selected workgroup and selecet Ok, it will pop up requesting for account which have permission to remove computer from domain and when i enter domain user account(without any domain admin, delegation control and local admin right) it removes the compuer. how can i stop domain users from removing the computer from domain?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,785 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,622 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 11,475 Reputation points Microsoft Vendor
    2024-10-25T08:44:16.6633333+00:00

    Hello,

    To prevent domain users from being able to remove computers from the domain, you'll need to adjust some group policies and possibly review the delegation of permissions in Active Directory. Here are a few steps you can take to prevent domain users from removing computers from the domain:

    1. Verify Group Policy Settings:
      • Open the Group Policy Management Console (GPMC) on your domain controller.
      • Navigate to Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment.
      • Check the policy called "Remove computer from docking station." Ensure that the necessary permissions are correctly configured and do not grant domain users the ability to remove computers from the domain.
    2. Delegate Control Appropriately:
      • In Active Directory Users and Computers (ADUC), ensure that delegation settings are appropriately configured.
      • Right-click the Organizational Unit (OU) that contains the computer accounts and select "Delegate Control."
      • Verify that domain users are not granted permissions that allow them to disjoin computers.
    3. Restrict Access to System Properties:
      • Restrict Access to "System" Control Panel:
        • You can use Group Policy Preferences to hide the System control panel to prevent users from accessing the area where they can disjoin the computer from the domain.
        • User Configuration -> Administrative Templates -> Control Panel -> Prohibit access to Control Panel and PC settings.
    4. Review Effective Permissions:
      • Check the effective permissions on the computer objects in Active Directory.
      • Right-click the computer object, select "Properties," and go to the "Security" tab.
      • Click "Advanced," then "Effective Access," and enter a domain user’s name to see what permissions they have on the object.
    5. Monitor and Audit: Enable auditing to track attempts and successful actions of removing computers from the domain.
      • In the GPO, go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Logon.
      • Enable auditing for "Audit Account Logon Events" and "Audit Logon Events."

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.