I know that that removing a computer from a domain (adding the computer to a workgroup) does not deletes the computer object fom active directory.
For that two happen will be just enough to use a local admin when joining the computer to a WORKGROUP?
Would be any chance to have the computer removed when it is joined to a WORKGROUP?
Removing a computer from a domain does not deletes the computer object fom active directory.
April 9th, 2009 5:53pm
Actually that should be the case (i.e. computer object should be automatically deleted) as long as the user who performs this procedurehas appropriate permissions to the computer object in Active Directory (besides being a member of local Administrators group on the computer itself)
hth
Marcin
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2009 6:03pm
Thanks for the reply. You mentioned right permissions to the computer object in AD. How this would be managed? Can we delegate the right to an specific group of usersvia OU delegation?
April 9th, 2009 7:51pm
You can grant required permissions (Delete Computer objects) directly from the Advanced Security Settings dialog box of the OU where the computer accounts reside. You might want to consider applying this also to computer child objects, which presence might prevent automatic deletion during disjoin operation, but that would depend on the level of control you want to give your support staff...
DSACLS is another,a bit more painful, approach...
hth
Marcin
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2009 10:27pm
Does the local admin right would be needed besides the Delete Computer objects one givenby delegation? I actually would like to skip the local admin right.
If the workstation gets "un-joined" from AD with a local admin user and added to a workgroup (i.e: localhost\administrator) the computer account will still be showing up on AD.
If the workstation gets "un-joined" from AD with a domain user that has local admin rights on the machine (i.e: domainname\username) then the computer account gets updated on AD with a RED X mark showing that does not longer belong to AD. In my case the REDX markwould be sufficient but I amtrying to avoid the local admin right step in the middle or if possible the account to befully removed from AD.
Any help on this?
April 14th, 2009 9:33pm
In general, you rely on having localadmin privileges (via membership in the local Administrators group) to remove computer from the domain. This applies to both domain and local accounts.
Marcin
Free Windows Admin Tool Kit Click here and download it now
April 14th, 2009 11:30pm
Hi,
Based on my research, when we disjoin an workstation from the domain, its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it.
You can run the following command to query all disabled computer objects:
Dsquery computer disabled
Hope the information is helpful.
- Marked as answer by Joson ZhouModerator Friday, April 17, 2009 9:05 AM
April 15th, 2009 7:02am
How do you disjoin a computer from your domain, in other words what user account does your helpdesk/analyst has on AD.
A regular users can't disjoin a computer from AD. But a local admin user could do it, if that is the case I have notice that the computer account will not be shown as DISABLED.
So far using delegation over the Computer OU does not give the right to the user to disjoin the computer from AD (right click my computer and when going to CHANGEit'sgrey out.
You said " when we disjoin an workstation from the domain its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it."
in order to do that what level of access does your user account has when disjoining the compt accout from the domain?
A regular users can't disjoin a computer from AD. But a local admin user could do it, if that is the case I have notice that the computer account will not be shown as DISABLED.
So far using delegation over the Computer OU does not give the right to the user to disjoin the computer from AD (right click my computer and when going to CHANGEit'sgrey out.
You said " when we disjoin an workstation from the domain its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it."
in order to do that what level of access does your user account has when disjoining the compt accout from the domain?
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2009 8:57pm
Hi,
Yes, only Administrators can change the identification of this computer.
When you disjoin a computer with local administrator account, a credential box will prompt for you to enter the name and password of an account with permission to remove this computer from the domain. If the user account has sufficient permission to remove this computer from the domain, the computer object will be disabled in Active Directory Users and Computers console.
You can verify it by checking the NetSetup.log file on the client machine:
NetpApplyJoinState: status of disabling account: 0x0 This means the computer account is disabled successfully.
Or
NetpApplyJoinState: status of disabling account: 0x5 This means the computer account cannot be disabled, because the user account does not have sufficient permission.
- Marked as answer by depaul30_hotmail.com Saturday, May 02, 2009 10:01 PM
April 21st, 2009 8:21am
Hello Marcin,
I have given a user the create and delete computer objects but still after domain unjoin the object stays disabled but not deleted..
I have given a user the create and delete computer objects but still after domain unjoin the object stays disabled but not deleted..
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2010 5:50pm
We are having the same issue. Is there anyway to delete a Computer Object when it is disjoined from the domain? Our DC's are running Windows Server 2008 R2 x64.
September 1st, 2010 4:08pm
This Microsoft article says that by disjoining a computer from the domain it will be deleted from Active Directory:
http://technet.microsoft.com/en-us/library/cc754624.aspx
Additional considerations
"You can also delete a computer account by disjoining the computer from the domain."
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2010 4:14pm
You have to use Domain Admin credential when you do it
If you use a local Admin credentials it will remove the machine from the Domain but it does not have the authority to remove the account from the Domain.
Explicitly use the Domain Admin credntials by prefixing the username with the Domain name:
User: domain\administrator
Password: *********
--
Phillip Windell The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
--
Phillip Windell The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"ColbyTrio" <=?utf-8?B?Q29sYnlUcmlv?=> wrote in message news:28efe9da-f405-41fa-82fd-900917484f78...This Microsoft article says that by disjoining a computer from the domain it will be deleted from Active Directory:
http://technet.microsoft.com/en-us/library/cc754624.aspx
Additional considerations
"You can also delete a computer account by disjoining the computer from the domain."
September 1st, 2010 8:13pm
They must have updated the article because it now says the exact opposite.
If you disjoin a computer from a domain, the computer remains as a disabled account in Active Directory.
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2015 1:41pm
Can i configure AD to automatically remove a computer account from AD when i disjoin computer from a domain?
August 5th, 2015 1:05am
This topic is archived. No further replies will be accepted.
Other recent topics
