Re: GPO to Block Clients Connecting to Domain

Tech-Archive recommends: Speed Up your PC by fixing your registry

Howdie John!

John Tiesi wrote:
Our setup is unique. We are a domain within a university forest. The forest admins can join a computer to our domain without our consent. I would like to prevent that from happening.

I recently heard a speech of Steve Riley, a security guy at Microsoft how said something like: "If you don't trust your admin, why further employ him/her?" - your situation made me remember this. But as these guys are the forest admins you'd have a hard job to fire them.

Anyway, I don't see a way to prevent them from not joining the machines to your domain because whatever permissions you take away, they're able to grant them back. Maybe someone else here has a solution for your issue.

I read a this paper a while ago, it's about IPSec domain isolation and _could_ be something for you, as one can define certain criteria for machines to join the domain. As the title states, it's something for a "Test Lab" but maybe you'll come up with a solution after having read this:
http://www.microsoft.com/downloads/details.aspx?FamilyId=5ACF1C8F-7D7A-4955-A3F6-318FEE28D825&displaylang=en

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.
.