Prevent domain host from domain-joined control

First, Introduction

When all of the company's hosts are joined to the domain, the first task of the SA is to prevent domain-joined hosts from being controlled from the domain. Let me find that the necessity of the work is a procedural ape, the day before the end of the ban on the implementation of QQ, execution, the next morning to see the guy chatting, it must be used back to the old local account login.

I am the company installed software types of miscellaneous, no administrator rights to run a lot of software will error, have to grant "domain account" local administrator rights. Too big a permission strip has come a series of consequences: Users can leave the domain, create local administrator account. This management approach is also a challenge for SA.

Second, the principle

Prohibit access to users and groups of administrative tools, users can not find the new local account tool, rename the administrator, delete all local accounts, users do not have a local account login, when the user creates a new account using the command line, because the default profile is not accessible, so it is rejected; hide the window that exits the domain The user cannot find a window to exit the domain, the IP is disabled, the IP of the different network segments of the DC is still logged in, but it is out of control.

Third, the configuration

1. New Domain Group Policy "Prevent out of domain"

Start--System Administration tools--Domain Group Policy

2. Prohibit access to administrative tools for users and groups. Prevent new local accounts

3. Rename administrator to root and delete all local accounts. Prevent login with local administrator

Delete local account method: Use Domain Group Policy to publish to view the user's batch processing, send the information to a host's shared folder; After all accounts have been counted, the batch processing of deleting users is released.

Publish batch, automatically execute after account login

Statistics account, delete account

NET user>\\192.168. 1.100\log\%username%/del username

4. Set default profile denied access, new user cannot log in

Default profile: Each new user will copy the configuration file from the default template "C:\Users\Default" to "C:\Users\ new user".

Publish scripts with domain Group Policy (same as above), set C:\Users\Default everyone has no permissions

cacls%systemdrive%\users\default/e/c/p everyone:n

5. Hide "Computer-right-Properties" and "Control Panel-system": Prevent users from exiting the domain

6, prohibit the modification of IP, to prevent the control of the off-domain

Study hard ...

Test failed for Server Windows Server 2012 + client Win7: http://www.cnblogs.com/sjy000/articles/4711233.html

7. Refresh Domain Group Policy, configure immediate effect

Iv. Testing

Restart the Win7 client to simulate the operation of Good (Xiong) (zi)

1, the test uses the user and the Group management tool, the wood has this function

2. Create local user User2 by command

3. Attempt to exit the domain, unable to locate the location operation

4. Login with local user user2, Login failed

This article is from "Operation and maintenance rookie. Log" blog, declined reprint!

Prevent domain host from domain-joined control