Sorry that this weeks setting of the week was a little late however as you can see I have been a little busy.
This weeks setting is called “Remote Properties from the Computer icon context menu” and can be found under User Configuration > Policies > Administrative Templates > Desktop. This setting might seem a little mundane compared some other setting however it could be very useful if you are in an environment where many of your users have admin access to their computers. Enabling this setting makes it much more difficult for users to remove their computer from the domain which they might want to do because of those pesky restrictive group policies. 😉
Note: If you do enabled this option be sure not to apply it to specific IT staff so that they can still manage the computer account. You could do this by using using the Deny “Apply Group Policy” of the Advanced security setting of the policy.
Setting Enabled on Windows 7
Setting Enabled on Windows XP
Note that this does not prevent users from removing the computer from the domain as all you are doing is disabling the System Properties dialogue box that has the computer name tab (see image below) where domain membership is normally configured. While just disabling the UI is not a 100% effective it should at least stumble most users from changing this setting.
In case you were wondering, a user with admin access to their computer could still install either the Windows XP Support tools or the Remote Server Admin Tools (RSAT) to use the NETDOM JOIN and NETDOM REMOVE commands to change the computer domain membership.