First, understand this:
A member of local administrators group can do any and all on the local machine. The built in account administrator is a member of local adminstrators group.
Second, understand what exactly happens when a machines joins a domain.
Who can join a pc to a domain:
1. he must be member of local admin gruop.
2. he must be member of domain group that has rights to add machines to the domain - usually this is domain admin group. This right is needed because a security account for the machine must be created in the domain when the machine joins the domain. If you are only a local admin, you cannot join a machine to a domain, unless the domain admin has already created the machine account for you beforehand (with the same machine name).
note any domain group does not reside on any local machine. they reside on domain controller/active directory.
That's why when you set up a new machine, and join it to a domain, it will prompt you for another username/password. This user must be able to add machine to domain (i.e. create machine accoutn in the domain).
Similarly, a local admin can disjoin his machine from domain. but if he does not he rights to remove the machine account from the domain, the machine account is still there even after disjoint. next time the local admin can join it again w/o the help of domain admin because the machine acccount want deleted last time. If a domain admin disjoins the machine, the machine account is gone. Rejoining needs "add to domain" rights again.
A member of local administrators group can do any and all on the local machine. The built in account administrator is a member of local adminstrators group.
Second, understand what exactly happens when a machines joins a domain.
Who can join a pc to a domain:
1. he must be member of local admin gruop.
2. he must be member of domain group that has rights to add machines to the domain - usually this is domain admin group. This right is needed because a security account for the machine must be created in the domain when the machine joins the domain. If you are only a local admin, you cannot join a machine to a domain, unless the domain admin has already created the machine account for you beforehand (with the same machine name).
note any domain group does not reside on any local machine. they reside on domain controller/active directory.
That's why when you set up a new machine, and join it to a domain, it will prompt you for another username/password. This user must be able to add machine to domain (i.e. create machine accoutn in the domain).
Similarly, a local admin can disjoin his machine from domain. but if he does not he rights to remove the machine account from the domain, the machine account is still there even after disjoint. next time the local admin can join it again w/o the help of domain admin because the machine acccount want deleted last time. If a domain admin disjoins the machine, the machine account is gone. Rejoining needs "add to domain" rights again.
選擇“Disable on www.wenxuecity.com”
選擇“don't run on pages on this domain”
