Join 3,501 readers in helping fund MetaFilter (Hide)


How 'come I can remove a Win(7) system from our domain on the client side without permissions?
December 2, 2011 9:51 AM   Subscribe

How 'come it appears that I can 'remove' a system from our Windows domain (w/ win 7 clients, server 2008 r2) on the client side - without requiring any user name or password that is known to the server?

IAN the server administrator, though I just reported this to him. I had suspected for a while that you didn't need admin permissions to remove a system from the domain. Normally when you attempt to change your computer properties (name and/or domain or workgroup), if you are logged in with an administrator account, it doesn't ask you for permissions (at least here on our network it doesn't, though maybe that's configurable with the UAC). That's ok. I had also noticed, tho, that if you are not logged in as an admin, and it asks for elevated privileges, you could put in a non-admin user account (only for removing, and not adding, a system on the domain), and that would remove it.

But today just for the hell of it, I was sitting at a client system, had to remove it from the domain, it asked for my elevated privileges, and I punched in any 'ole characters and numbers in the username and password fields. This worked.

To confirm it wasn't just a one time glitch, I did a series of readding it, removing it, physically connected to the network, not physically connected to the network, different machine accounts. Seems to work as I mentioned above; if I am connected physically to the network, and want to remove a system on the client side from the domain, it just doesn't care what I put in the username/pw fields, it will let me remove it.

Is this normal behavior /something you can change on the server or policy side? Or have I discovered a Windows bug?
posted by bitterkitten to Computers & Internet (6 answers total)
 
I think it might be normal behavior. I've never known any restrictions on who can remove a computer (WinXP or Win7) from the domain, but it does take elevated privileges to add a machine to the domain.

Disclaimer: YMMV, I'm desktop support, not a network admin. I'm also not a domain admin.
posted by AMSBoethius at 10:36 AM on December 2, 2011


It's unlikely that the machine was removed from Active Directory on the server. It probably just un-joined locally. This can cause problems later if you try to re-join with the same machine name since there's an existing record of it on the domain.

That, or something funky's going on.
posted by odinsdream at 11:01 AM on December 2, 2011


Odins - sure, it's just unjoined locally, but it's still the same question... shouldn't there be some genuine security measure when you unjoin a machine?

Maybe Microsoft didn't care the same way the U.S. doesn't care when you go to Mexico (vs. coming back), or depositing money in some banks (where they really only seem to care about security if you take any out, vs deposits). ; )
posted by bitterkitten at 11:16 AM on December 2, 2011


I do find it surprising that you can do it as an account that's not a local admin. Are you sure about that? Can you confirm that the account you believe to be a non-local admin doesn't in fact have admin rights propagated to it through group policy with gpresult on the command line?
posted by odinsdream at 12:26 PM on December 2, 2011


It's probably the same mechanism that allows a laptop to still function if it isn't connected to the home network.
posted by gjc at 8:29 PM on December 2, 2011


If you're not an admin, the dialog to join/unjoin and even rename *should* be greyed out. If it is not, you should review your local and group policies.
posted by samsara at 12:46 PM on December 3, 2011


« Older Electric guitar for small hand...   |  My very low maintenance cousin... Newer »
This thread is closed to new comments.