From: aral@nurfuerspam.de   
      
   Bruce Chambers wrote:   
    > Lars Uffmann wrote:   
    >> Title says it all: Just by joining the machine to a domain, how much   
    >> control do domain admins get over the system?   
    >     Total control.   
      
   Could you be a bit more specific? As to: what mechanism would give   
   control over systems? Like: Is there an established service (like could   
   you turn on remote desktop as a domain admin, and access the computer   
   with that) or would you need to somehow get a Windows update that the   
   client will deem "official", which gives you remote access?   
      
   >     Exactly.  After all, the computer isn't your property, it's your   
   > employer's.   
      
   That's true for the computer, not necessarily for the products of my   
   work. Different legislation may apply where you live. There's also -   
   depending on where you live - a right to privacy regarding certain   
   aspects, including your email (just like private phone calls, to a   
   degree, are allowed at work).   
      
   But that is off the point :)   
      
   >> Next question would be: Is it possible to lock out domain admins from   
   >> your computer (completely) if you don't trust them?   
   >   
   >     No, and, in many companies, attempting violate company policies in   
   > this manner is a shortcut to the unemployment line, since one would be   
   > tampering with, and potentially sabotaging, company property, as well as   
   > ignoring one's "terms of employment."   
      
   Oh, you're getting me completely wrong: It is not about violating   
   company policies, it is all about complying with the policies without   
   giving the IT management full control over the indivivuals PC. Because   
   that is not what they say they want (at least they do not admit it   
   openly), so unless they change their current set of rules, they cannot   
   enforce any rules that forbid you from securing your system against   
   unauthorized access. Unless of course, the only way to secure the system   
   is to NOT join the active directory.   
      
   >     Only domain administrators, or specially designated accounts, can   
   > join a computer to a domain.   
      
   Yes, we have our own IT manager in the department, and we can join our   
   systems ourselves. I've done it myself, after having the proper role for   
   a while (testing stage).   
      
   >> And how would you do that if it is possible?   
   >     Anything is possible, but, if you have to ask, you clearly lack the   
   > requisite skills.   
      
   That is not a really helpful answer. Obviously I was asking, because I   
   didn't know yet - and this is a forum where I'd think some know-how on   
   the subject would be available to learn more about.   
      
   Best Regards,   
      
      Lars   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)