Prevent domain host from domain-joined control

Source: Internet
Author: User

First, Introduction

When all of the company's hosts are joined to the domain, the first task of the SA is to prevent domain-joined hosts from being controlled from the domain. Let me find that the necessity of the work is a procedural ape, the day before the end of the ban on the implementation of QQ, execution, the next morning to see the guy chatting, it must be used back to the old local account login.

I am the company installed software types of miscellaneous, no administrator rights to run a lot of software will error, have to grant "domain account" local administrator rights. Too big a permission strip has come a series of consequences: Users can leave the domain, create local administrator account. This management approach is also a challenge for SA.

Second, the principle

Prohibit access to users and groups of administrative tools, users can not find the new local account tool, rename the administrator, delete all local accounts, users do not have a local account login, when the user creates a new account using the command line, because the default profile is not accessible, so it is rejected; hide the window that exits the domain The user cannot find a window to exit the domain, the IP is disabled, the IP of the different network segments of the DC is still logged in, but it is out of control.

Third, the configuration

1. New Domain Group Policy "Prevent out of domain"

Start--System Administration tools--Domain Group Policy

2. Prohibit access to administrative tools for users and groups. Prevent new local accounts

3. Rename administrator to root and delete all local accounts. Prevent login with local administrator

Delete local account method: Use Domain Group Policy to publish to view the user's batch processing, send the information to a host's shared folder; After all accounts have been counted, the batch processing of deleting users is released.

Publish batch, automatically execute after account login

Statistics account, delete account

NET user>\\192.168. 1.100\log\%username%/del username

4. Set default profile denied access, new user cannot log in

Default profile: Each new user will copy the configuration file from the default template "C:\Users\Default" to "C:\Users\ new user".

Publish scripts with domain Group Policy (same as above), set C:\Users\Default everyone has no permissions

cacls%systemdrive%\users\default/e/c/p everyone:n

5. Hide "Computer-right-Properties" and "Control Panel-system": Prevent users from exiting the domain

6, prohibit the modification of IP, to prevent the control of the off-domain

Study hard ...

Test failed for Server Windows Server 2012 + client Win7: http://www.cnblogs.com/sjy000/articles/4711233.html

7. Refresh Domain Group Policy, configure immediate effect

Iv. Testing

Restart the Win7 client to simulate the operation of Good (Xiong) (zi)

1, the test uses the user and the Group management tool, the wood has this function

2. Create local user User2 by command

3. Attempt to exit the domain, unable to locate the location operation

4. Login with local user user2, Login failed


This article is from "Operation and maintenance rookie. Log" blog, declined reprint!

Prevent domain host from domain-joined control

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.