Problem solve Get help with specific problems with your technologies, process and projects.

How can I stop administrators from taking their computers out of the domain?

All the users in our company (4000) are administrators of their computers (their network user is a part of the local administrators group). This was done since about 50% of the people in the company are developers. However, we have a few users who take their machines out of the domain -- for many reasons, such as home networking, connecting to clients' networks, etc. Do you know how this can be stopped? Maybe there is a way in Win2k/XP to hide the network identification tab, or to disable the "Member of" part of this tab?
You can certainly use group policy administrative templates and security settings to lock down access to Windows 2000/XP features. However, since your users are local administrators they may be able to reset some things. However, if you can create a group policy at the Windows 2000 domain level, or at the appropriate OU level, all Windows 2000/XP Professional systems that are in the domain (or whose accounts are in the OU, if you are going to address the issue that way) will be controlled by these policies, and to change them would require membership in the domain admin group or delegation of authority granting them specific permissions. You might also do some testing; in many cases it is not necessary for the developer to be an administrator on their machine in order to do their development work. You can also segment your network and isolate your developers in a development domain, where if they must have higher privileges, their ability to impact your production domain is limited.

You also mention that "all" users are local administrators while developers represent only 50% of this number. You need to evaluate your organization's security policy. There is no reason to be making all users administrators. At least 50% of your users have no need at all, yet you are giving them privileges way beyond their wildest dreams. They have the ability to not only annoy you with the configuration issues above, but also put your company in a severe risk situation. Think about the spread of malicious code (run a malicious executable as an ordinary user and its damage is limited; run it as administrator and it can be devastating); think of the elevation of privilege attacks that might provide them with elevated privileges on other machines (including servers and domain controllers); think of the increased support costs as they do things they shouldn't do and go places they don't need to go; and think of their ability to subvert and ignore security policies on the local level. I could go on.

This was last published in November 2002

Dig Deeper on Network intrusion detection and prevention and malware removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.