In Windows, how do I disable ADS network settings after I leave the IU network?

To disable your ADS network settings in Windows after you leave the Indiana University network, follow the appropriate instructions below.

On this page:

• Windows 8, 7, and Vista
• Windows XP

Windows 8, 7, and Vista

Reset the password to the Administrator account if you are not sure you already know it:

1. In Windows 8, press Win-x to open the Power User menu, and then click Computer Management.

   Note: For help navigating in Windows 8, see About views in Windows (Start screen/menu, Control Panel) and Microsoft's Windows 8 FAQ.

   In Windows 7 and Vista, from the Start menu, right-click Computer and select Manage.

2. In the left pane of the window, click the arrow next to "Local Users and Groups", and select the Users subfolder.
   
   
3. At the right, find the account with the description "Built-in account for administering the computer/domain". By default, the account is named Administrator. Right-click it and choose Set Password... .
   
   
4. Enter a new password for the account and confirm it. Click OK.

To unjoin from the ADS Domain:

1. In Windows 8, press Win-e to open the Computer window. In the list of locations on the left, right-click Computer, and then select Properties.

   Note: For help navigating in Windows 8, see About views in Windows (Start screen/menu, Control Panel) and Microsoft's Windows 8 FAQ.

   In Windows 7 and Vista, from the Start menu, right-click Computer and select Properties.

2. In the left pane of the window, click Advanced System Settings.
   
   
3. In the System Properties window, select the Computer Name tab, and then click Change.
   
   
4. Under "Member of", select Workgroup: . In the field provided, type any name you would like, and then click OK.
   
   
5. You will then be prompted with the Local Username And Password window for authentication. In the "Name:" field, type your computer name and local account name (e.g., bl-rh-username\LocalAccount). In the "Password:" field, type your local account password. Click OK.
   
   
6. In the System Settings Change dialog box that appears, click Yes to automatically reboot your computer.

Windows XP

When leaving the IU network, you should do three things:

1. Before leaving campus, reset the password for the local administrator account if you are not sure you already know it:
   
   
   1. Click Start, and then Control Panel.

      Note: If this doesn't match what you see, refer to About navigation settings in Windows.

   2. Double-click User Accounts.
      
      
   3. Highlight the administrator account (make sure the "Domain:" listed is the name of your computer and not "ADS") and click Set Password... .
      
      
   4. In the two boxes, enter the password you'd like to use, and then click OK.
      
      
2. Disable the ADS network settings:

   Note: This step only applies to Windows XP Professional. Windows XP Home and Media Center editions are unable to join a domain or Active Directory; if you use either of those operating systems, skip to the next section.

   1. Right-click My Computer and choose Properties.
      
      
   2. Click the Computer Name tab, and then click Change.
      
      
   3. Select Workgroup: , and then enter anything you like in the field provided.
      
      
   4. Click OK, and then click Apply to save your changes and close the open windows.
      
      Note that this step can be done either on or off campus, so it doesn't matter if you do it before or after you leave.
      
      
3. If necessary, reconfigure the LAN Manager authentication settings:

   When set to its highest setting, the LAN Manager Authentication level should still work off campus in most situations. The only times it won't work will be when you bring your computer to a new domain that isn't set to handle the NTLMv2 protocol. Note that this combination of factors is rare; most domains can handle NTLMv2. For most people, this setting should be fine, especially if you are returning to campus at some point.

   Some users may experience issues with this control at its current setting. For example, in a home networking situation, a Windows computer not configured to use NTLMv2 will not be able to map a drive or folder until it is reconfigured to do so. In those cases, UITS recommends that you reconfigure the other computer, rather than decrease the security of your own.

   UITS does not recommend that you change this setting proactively. However, if you have no choice, go no lower in settings than you must in order to guarantee functionality.

   Follow the instructions below to change the setting, but do not do this until you have left campus, since the IU ADS is configured to have its computers run at the highest level for this setting:

   1. Determine whether you ran the IUWindowsAuthUpdate program. If you configured your computer with Get Connected or downloaded the tool from IUware, you did; otherwise, you did not.
      
      
   2. Undo the settings:
      
      
      • If you ran IUWindowsAuthUpdate from IUware, uninstall it.
        
        
      • If you changed the settings manually, see How can I use the local security settings to force NTLMv2?

        Note: Do not choose Send NTLMv2 response only/refuse LM & NTLM. Instead, select one of the first four choices. UITS recommends choosing Send NTLMv2 response only, but for some networks, you may need to drop that to Send NTLM response only or lower. Protocols lower than NTLMv2 are considered insecure, so it is best to stay at the highest setting possible for your situation.

Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?