I am in a situation , where removing accounts from local admin, isn't an option right now.
I would like to be able to Disable Any local user account, from Removing a System off the Domain, and resetting Local user account passwords.
Is that possible via a GPO ?
I read where if you apply : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
in: Computer Configuration > Windows Settings > Security Settings > Registry , you can prevent local users from removing Systems from the Domain. They went on to say, to add "Domain Admins" with full access and to make "local Admin group" read only. If this is true, How do you add "Local Admin Group" to the permissions ? I see how you can add permissions for domain accounts, but not local accounts..
Thank you