How 'come I can remove a Win(7) system from our domain on the client side without permissions?
December 2, 2011 9:51 AM Subscribe
How 'come it appears that I can 'remove' a system from our Windows domain (w/ win 7 clients, server 2008 r2) on the client side - without requiring any user name or password that is known to the server?
posted by bitterkitten to Computers & Internet (6 answers total)
IAN the server administrator, though I just reported this to him. I had suspected for a while that you didn't need admin permissions to remove a system from the domain. Normally when you attempt to change your computer properties (name and/or domain or workgroup), if you are logged in with an administrator account, it doesn't ask you for permissions (at least here on our network it doesn't, though maybe that's configurable with the UAC). That's ok. I had also noticed, tho, that if you are not logged in as an admin, and it asks for elevated privileges, you could put in a non-admin user account (only for removing, and not adding, a system on the domain), and that would remove it.
But today just for the hell of it, I was sitting at a client system, had to remove it from the domain, it asked for my elevated privileges, and I punched in any 'ole characters and numbers in the username and password fields. This worked.
To confirm it wasn't just a one time glitch, I did a series of readding it, removing it, physically connected to the network, not physically connected to the network, different machine accounts. Seems to work as I mentioned above; if I am connected physically to the network, and want to remove a system on the client side from the domain, it just doesn't care what I put in the username/pw fields, it will let me remove it.
Is this normal behavior /something you can change on the server or policy side? Or have I discovered a Windows bug?