For that two happen will be just enough to use a local admin when joining the computer to a WORKGROUP?
Would be any chance to have the computer removed when it is joined to a WORKGROUP?
Actually that should be the case (i.e. computer object should be automatically deleted) as long as the user who performs this procedurehas appropriate permissions to the computer object in Active Directory (besides being a member of local Administrators group on the computer itself)
hth
Marcin
Thanks for the reply. You mentioned right permissions to the computer object in AD. How this would be managed? Can we delegate the right to an specific group of usersvia OU delegation?
You can grant required permissions (Delete Computer objects) directly from the Advanced Security Settings dialog box of the OU where the computer accounts reside. You might want to consider applying this also to computer child objects, which presence might prevent automatic deletion during disjoin operation, but that would depend on the level of control you want to give your support staff...
DSACLS is another,a bit more painful, approach...
hth
Marcin
Does the local admin right would be needed besides the Delete Computer objects one givenby delegation? I actually would like to skip the local admin right.
If the workstation gets "un-joined" from AD with a local admin user and added to a workgroup (i.e: localhost\administrator) the computer account will still be showing up on AD.
If the workstation gets "un-joined" from AD with a domain user that has local admin rights on the machine (i.e: domainname\username) then the computer account gets updated on AD with a RED X mark showing that does not longer belong to AD. In my case the REDX markwould be sufficient but I amtrying to avoid the local admin right step in the middle or if possible the account to befully removed from AD.
Any help on this?
In general, you rely on having localadmin privileges (via membership in the local Administrators group) to remove computer from the domain. This applies to both domain and local accounts.
Marcin
Hi,
Based on my research, when we disjoin an workstation from the domain, its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it.
You can run the following command to query all disabled computer objects:
Dsquery computer disabled
Hope the information is helpful.
- Marked as answer by Joson ZhouModerator Friday, April 17, 2009 9:05 AM
A regular users can't disjoin a computer from AD. But a local admin user could do it, if that is the case I have notice that the computer account will not be shown as DISABLED.
So far using delegation over the Computer OU does not give the right to the user to disjoin the computer from AD (right click my computer and when going to CHANGEit'sgrey out.
You said " when we disjoin an workstation from the domain its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it."
in order to do that what level of access does your user account has when disjoining the compt accout from the domain?
Hi,
Yes, only Administrators can change the identification of this computer.
When you disjoin a computer with local administrator account, a credential box will prompt for you to enter the name and password of an account with permission to remove this computer from the domain. If the user account has sufficient permission to remove this computer from the domain, the computer object will be disabled in Active Directory Users and Computers console.
You can verify it by checking the NetSetup.log file on the client machine:
NetpApplyJoinState: status of disabling account: 0x0 This means the computer account is disabled successfully.
Or
NetpApplyJoinState: status of disabling account: 0x5 This means the computer account cannot be disabled, because the user account does not have sufficient permission.
- Marked as answer by depaul30_hotmail.com Saturday, May 02, 2009 10:01 PM
I have given a user the create and delete computer objects but still after domain unjoin the object stays disabled but not deleted..
This Microsoft article says that by disjoining a computer from the domain it will be deleted from Active Directory:
http://technet.microsoft.com/en-us/library/cc754624.aspx
Additional considerations
"You can also delete a computer account by disjoining the computer from the domain."
--
Phillip Windell The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"ColbyTrio" <=?utf-8?B?Q29sYnlUcmlv?=> wrote in message news:28efe9da-f405-41fa-82fd-900917484f78...This Microsoft article says that by disjoining a computer from the domain it will be deleted from Active Directory:
http://technet.microsoft.com/en-us/library/cc754624.aspx
Additional considerations
"You can also delete a computer account by disjoining the computer from the domain."
They must have updated the article because it now says the exact opposite.
If you disjoin a computer from a domain, the computer remains as a disabled account in Active Directory.
Can i configure AD to automatically remove a computer account from AD when i disjoin computer from a domain?