Hello,
To prevent domain users from being able to remove computers from the domain, you'll need to adjust some group policies and possibly review the delegation of permissions in Active Directory. Here are a few steps you can take to prevent domain users from removing computers from the domain:
- Verify Group Policy Settings:
- Open the Group Policy Management Console (GPMC) on your domain controller.
- Navigate to
Computer Configuration
→Windows Settings
→Security Settings
→Local Policies
→User Rights Assignment
. - Check the policy called "Remove computer from docking station." Ensure that the necessary permissions are correctly configured and do not grant domain users the ability to remove computers from the domain.
- Delegate Control Appropriately:
- In Active Directory Users and Computers (ADUC), ensure that delegation settings are appropriately configured.
- Right-click the Organizational Unit (OU) that contains the computer accounts and select "Delegate Control."
- Verify that domain users are not granted permissions that allow them to disjoin computers.
- Restrict Access to System Properties:
- Restrict Access to "System" Control Panel:
- You can use Group Policy Preferences to hide the System control panel to prevent users from accessing the area where they can disjoin the computer from the domain.
- User Configuration -> Administrative Templates -> Control Panel -> Prohibit access to Control Panel and PC settings.
- Restrict Access to "System" Control Panel:
- Review Effective Permissions:
- Check the effective permissions on the computer objects in Active Directory.
- Right-click the computer object, select "Properties," and go to the "Security" tab.
- Click "Advanced," then "Effective Access," and enter a domain user’s name to see what permissions they have on the object.
- Monitor and Audit: Enable auditing to track attempts and successful actions of removing computers from the domain.
- In the GPO, go to
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Logon
. - Enable auditing for "Audit Account Logon Events" and "Audit Logon Events."
- In the GPO, go to
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.