Remove computer from docking stationID: oval:org.secpod.oval:def:36480 | Date: (C)2016-08-05 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
This security setting determines whether a user can undock a portable computer from its docking station without logging on.
If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable computer from its docking station without logging on.
Default: Administrators, Power Users, Users
Counter Measure:
Ensure that only the local Administrators group and the user account to which the computer is allocated are assigned the Remove computer from docking station user right.
Potential Impact:
By default, only members of the local Administrator group are granted this right. Other user accounts must be explicitly granted the right as necessary. If your organization's users are not members of the local Administrators groups on their portable computers, they will be unable to remove their own portable computers from their docking stations without shutting them down first. Therefore, you may want to assign the Remove computer from docking station privilege to the local Users group for portable computers.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Remove computer from docking station
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeUndockPrivilege' and precedence=1
Platform: |
Microsoft Windows 10 |