This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 1%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hi everyone,
A local admin is able to unjoin a computer from a local domain in the Windows Settings > Accounts > Access work or school > click on the 'Disconnect' button. The local admin can do this without a password!
But if the local admin unjoins the computer from the local domain in Control Panel\All Control Panel Items\System > Change settings > click on 'Change' next to 'To rename this computer...' > set 'Member of' to 'Workgroup', a password from a domain admin is needed.
I searched for hours for a GPO that enforces a password for 'Disconnect from organization' or disables this button completely. I did not find anything.
Is there really no GPO for that?
We don't want local admins to unjoin their computers from our domain.
Best regards,
Patrick
Dears,
This section (Access work or school) is related to Microsoft Account. You can disable it by followings:
GPO: Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Block Microsoft accounts
Registry: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount\value=0
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,@Patrick Meier
If you want to end this thread, and the answer was helpful for you, you can "mark it as answer" to help other community members find the helpful reply quickly.
If you have a better method to solve it, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If there is anything else we can do for you, please feel free to post here.
Best Regards,
Hi,
Based on my research , there is no option to disables this button completely.
But we can enforces a password for 'Disconnect from organization "through GPO settings .
We can configure the UAC settings under computer configuration>windows settings>>Security Settings >Local Policies>Security Options as following, then when you try to Disconnect from organization, a credential is needed.
But this policy is not just for this option,
• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Hi @Fan Fan ,
Thank you for your answer. Indeed, it seems to work.
So the admin must enter his password for all admin operations/functions, although he is logged in as Admin. This is not so great. We will discuss this in the team, but I think we will probably do without it for convenience.
Hi,
Thanks for your reply.
If you want to end this thread, and this answer was helpful for you, you can "mark it as answer" to help other community members find the helpful reply quickly.
If you have a better method to solve it, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If there is anything else we can do for you, please feel free to post here.
Best Regards,
Dears,
This section (Access work or school) is related to Microsoft Account. You can disable it by followings:
GPO: Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Block Microsoft accounts
Registry: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount\value=0
Hi,
Thank you for your answer. This GPO setting is already set. Also the registry key is set to 0. But this section is still there. Only the suggestion of FanFan-MSFT seems to work so far with the disadvantage that the admin has to constantly enter his password for any admin operation.
