In use - if each user has their own credentials, and they don't share, then in the event of a staff change you just deactivate one account. Don't leave a computer logged in as a practitioner without locking the screen.
Are you referring to logging into the domain and authenticating with the server where users can be activated, deactivated or deleted?
If the network has a domain control, or in the case of independent computers, it means disabling the account on each machine where the account was created.
This is what I figured/hoped you would say. While one can log into their own computer when not on a domain, when you are on a domain, you don't log into the local client, you log into/authenticate with the server. The server then knows "who you are" so it can assign permissions and allow you to access what you need to access. You never log into the local machine. This is difficult to conceive after years of logging into one's own computer. In fact, when one has to take the client off the domain and change it back to a workgroup computer in order to reattach it to the domain, after months of logging into the server, you can actually get locked out of the local computer so you are unable to do anything except completely reformat. (Of course, there are many tools out there for changing the username and password.
But, the point is if you use WIN7 on your server, you now can only have a workgroup and no client can log into the server. This gives you infinitely less security and options. No user groups, no group permissions, no GPOs, etc. etc. And, you won't have all of your users on one machine. If you use a true server OS on the server, you could still run a workgroup P2P, but always have the option to change to a full fledge client/server domain at anytime.
