How can I stop administrators from taking their computers out of the domain?
All the users in our company (4000) are administrators of their computers (their network user is a part of the local administrators group). This was done since about 50% of the people in the company are developers. However, we have a few users who take their machines out of the domain -- for many reasons, such as home networking, connecting to clients' networks, etc. Do you know how this can be stopped? Maybe there is a way in Win2k/XP to hide the network identification tab, or to disable the "Member of" part of this tab?
You can certainly use group policy administrative templates and security settings to lock down access to Windows 2000/XP features. However, since your users are local administrators they may be able to reset some things. However, if you can create a group policy at the Windows 2000 domain level, or at the appropriate OU level, all Windows 2000/XP Professional systems that are in the domain (or whose accounts are in the OU, if you are going to address the issue that way) will be controlled by these policies, and to change them would require membership in the domain admin group or delegation of authority granting them specific permissions. You might also do some testing; in many cases it is not necessary for the developer to be an administrator on their machine in order to do their development work. You can also segment your network and isolate your developers in a development domain, where if they must have higher privileges, their ability to impact your production domain is limited.
You also mention that "all" users are local administrators while developers represent only 50% of this number. You need to evaluate your organization's security policy. There is no reason to be making all users administrators. At least 50% of your users have no need at all, yet you are giving them privileges way beyond their wildest dreams. They have the ability to not only annoy you with the configuration issues above, but also put your company in a severe risk situation. Think about the spread of malicious code (run a malicious executable as an ordinary user and its damage is limited; run it as administrator and it can be devastating); think of the elevation of privilege attacks that might provide them with elevated privileges on other machines (including servers and domain controllers); think of the increased support costs as they do things they shouldn't do and go places they don't need to go; and think of their ability to subvert and ignore security policies on the local level. I could go on.
This was first published in November 2002