This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 17%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
Hi,
We have 3 domain controllers one of Master DC another one ADC and last one is Read Only DC.
Read Only DC is being used for remote office domain services.
If I login at RODC , I can click "change to domain controller" then changing domain.
Is there anyway to disable this attribute at schema or regedit? I don't want to change domain controller for any admin who can login RODC?
thanks. 
What problem does this cause? This only changes the active domain controller in that MMC instance.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
As mentioned by Patrick , you can change domain controller on MMC instance, it can be done from any machine where active directory tools installed (RODC,member server, workstation, domain controller).
If you want prevent any change launched from RODC servers, you should check the permission of each admin account allowed to login on RODC ,avoid put all admin account on domain admin group, and prevent all domain admin account to longon on RODC servers.
Please don't forget to mark helpful reply as answer
Hi Patrick and Bourbita,
You are right but our organization has different admins who have some permisson at Active Directory Console. On the other hand by default Domain users have permission to read some AD objects.
I think that, I can remove or change passive to change domain controller menu via schema setting or attribute setting.
If I can prevent this action by delegation, do you have any delegation sceranios?
Thanks.
Some ideas here.
https://www.rebeladmin.com/2018/02/step-step-guide-manage-active-directory-permissions-using-object-acls/
--please don't forget to upvote and Accept as answer if the reply is helpful--