Domain users who are members of the local Administrators group on their computers can, if they wish, withdraw their computers from the domain. This, of course, is not very good, because it means that the user can transfer his machine to an “unmanaged” state (group policies do not work on PCs), and this can lead to a decrease in their security and security of user data stored on them.
Related post : Virtual Machine disks consolidation is needed
How to prevent domain users from join
How can users be banned from “expelling” their computers from a domain? Unfortunately, it’s problematic to make this simple modification of user rights, and the simplest solution, in this case, would be to delete the user account of your domain from the local “Administrators” group on all PCs, which is another reason for refusing to give users local administrative rights on their PCs. machines.
If users already have administrator rights on their machines, you can use http://gallery.technet.microsoft.com/ScriptCenter/en-us/a20ca8f9-1c4b-4851-9a2e-ee1b03b5f64b from the TechNet Script Repository, execute it on user machines using group policy, SMS or in another way, the script will remove all users from the group of local administrators. But you should conduct thorough testing before taking such a step because Many applications (written by Krivor programmers) will not work on the user’s PC if he does not have administrator rights on his machine.