One of our attorneys is out of the country and visited a client's site. In order to get on their network, they mistakenly told him to exit our domain. Big time oops.
Of course, now the user can't log in to the system properly or access his offline email.
I don't blame the user in these circumstances because they are usually just listening to an incompetent admin at the site they are visiting. But you really have to wonder, why does Windows let a user remove a system from the domain when it doesn't let them add it? It shouldn't matter if the user has administrative rights on the PC, it should be an action that is only allowed if you can authorize yourself as a domain administrator at the time you want to perform the removal.
I'm sure that Microsoft has some well rationalized reason for not doing this, but I'm not buying it. I've seen this happen too often at the worst possible times and it is a behavior that should not be allowed by the OS.
Most likely this functionality is there becayse there are many times when a user is going to want to (or need to) remove a computer from a domain that either no longer exists or that the machine can no longer connect to. Why penalize a user just because their laptop is no longer on the corporate network.
In my case, I am a contractor and my laptop is a member of the corporate AD at the bank I'm working at. It's my laptop and if one day my contract ends and I forget to remove my machine from the domain before I leave the office what am I going to do if I can't remove it from the domain without being able to connect to the domain?
Phil
Posted by: Phillip Renouf | Tuesday, November 16, 2004 at 10:30 AM
If I'm not mistaken, a user WITHOUT administrative privilges CANNOT remove the machine from the domain. Thus, the objective should actually be directed at getting users to not run with administrative priviliges.
Another option here would be to configure the laptop to utilize the same profile for either a domain account or local account. Then... when the user wishes to connect to a different network, have the user logon in a local context and then access the resources within the new domain using those creditials.
Just an idea.
-KHD
Posted by: Kevin H. Devin | Tuesday, November 16, 2004 at 02:02 PM
Yes, but a user without administrative rights is restricted in a lot of ways in how they can use their computer. Try telling a partner that they can't install apps or change things to the way that they like it. Plus at least one of our apps (WORLDOX, our DMS) does not run well in the non admin modes.
You could set up an administrative user for them to use for certain things, but that creates a lot of headache when you are doing that for 20 users or more. I don't have time to babysit users who need something right now and can't get it because they don't have the proper rights.
For an attorney billing at $400 or more, even the slightest downtime becomes a serious irritant and it just can't be afforded.
Yes, the argument can be made that it's not secure to run PCs in admin mode, but the counter-argument can be made that it impacts usability of the operating system to enough of a degree that it's not worth doing.
Of course by giving users admin rights, they can get into a lot more trouble thereby creating more work for me and lost productivity for them, but then again I think that it's always better to err on the side of flexibility for the user's sake.
We are here as admins to make our user's lives easier and not to hinder them. Security should be transparent to the user and not impact the way they work.
At the same time, I would say that if you join a domain, certain features should be locked until a domain admin gives your system permission to disconnect from the domain, which can be done to a certain extent with Active Directory Global Policies, but I don't remember there being a policy to lock down a domain user's ability to remove a system from the domain, which would be great.
At the very least, a domain user connected to a system should not be able to cavalierly disconnect from the domain. That would get around Phil's issue because he could still disengage from the domain by logging into an account local to the PC in question as opposed to the domain account.
Also Phil, technically speaking, you don't have to join the domain to access resources on the domain. You can map drives from a non-domain PC to a domain server. You can connect to Outlook and many other services without being on the domain.
Either way, there are ways for Microsoft to address this issue that would be beneficial to their customers. And until they come up with a better mechanism to be logged in as a non-admin user and still be able to do all the things that users need/want to do with their PCs, I don't see having them log in as a non-admin user as a viable option.
Posted by: Alex Scoble | Tuesday, November 16, 2004 at 04:55 PM
just wait until its a stupid admin who tries to rejoin the machine to the domain and the whole saga is repeated once a week every time they leave for the weekend....that REALLY screws up AD and the local machine.
Posted by: Andy | Wednesday, November 17, 2004 at 04:35 AM
You're right that you don't need to be a member of the domain to access resources from that domain, but that wasn't my point.
My point was that if I am restricted from removing my machine from the domain without an administrators prior approval then what am I going to do if I am at another client site and have no connection to the previous domain but have a need (or just the desire) to remove myself and either run as a standalone machine or join another domain? There is great value for you in having that restriction, but there are also a number of cases where it would be a great hindrance for the user.
Always two sides to a story ;)
Posted by: Phillip Renouf | Thursday, November 18, 2004 at 01:33 PM
It occurrs to me that another way of handling the problem is allowing a PC to connect to two different domains, just like they allow you to set up a system for two separate IP networks now in XP.
BTW Phillip, why would you have a need to run as a standalone machine or join another domain?
Posted by: Alex Scoble | Thursday, November 18, 2004 at 02:43 PM
Hi
I have a question?
can i a laptop be member of two different domains?
i've researched about this for several hours already but have not gotten antything useful?
thank you for your time.
oscar
Posted by: oscar | Monday, May 29, 2006 at 02:35 PM
Jude is the network administrator for Camel Toe Company. His network contains four Windows 2000 Servers acting as domain controllers, two Windows 2000 Servers acting as member servers, and 243 Windows 2000 Professional workstations. Jude hired a Windows 2000 consultant to install some specialty hardware for the server. The consultant needs administrative rights on the member server. Jude doesn't want to add the consultant to the Domain Admin. Is there anything that Jude can do to allow the consultant to complete the work without giving administrative rights to the entire domain?
Posted by: abolee | Tuesday, February 26, 2008 at 07:21 PM