Group Policy Setting of the Week 24 – Remove Properties from the Computer icon context menu

Sorry that this weeks setting of the week was a little late however as you can see I have been a little busy.

This weeks setting is called “Remote Properties from the Computer icon context menu” and can be found under User Configuration > Policies > Administrative Templates > Desktop. This setting might seem a little mundane compared some other setting however it could be very useful if you are in an environment where many of your users have admin access to their computers. Enabling this setting makes it much more difficult for users to remove their computer from the domain which they might want to do because of those pesky restrictive group policies. ;)

Note: If you do enabled this option be sure not to apply it to specific IT staff so that they can still manage the computer account. You could do this by using using the Deny “Apply Group Policy” of the Advanced security setting of the policy.

image

Setting Enabled on Windows 7

image

Setting Enabled on Windows XP

image

Note that this does not prevent users from removing the computer from the domain as all you are doing is disabling the System Properties dialogue box that has the computer name tab (see image below) where domain membership is normally configured. While just disabling the UI is not a 100% effective it should at least stumble most users from changing this setting.

image

In case you were wondering, a user with admin access to their computer could still install either the Windows XP Support tools or the Remote Server Admin Tools (RSAT) to use the NETDOM JOIN and NETDOM REMOVE commands to change the computer domain membership.

3 Comments

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>