none
Removing a computer from a domain does not deletes the computer object fom active directory.

    Question

  • I know that that removing a computer from a domain (adding the computer to a workgroup) does not deletes the computer object fom active directory.

    For that two happen will be just enough to use a local admin when joining the computer to a WORKGROUP?

    Would be any chance to have the computer removed when it is joined to a WORKGROUP?
    Thursday, April 09, 2009 5:53 PM

Answers

  • Hi,

     

    Based on my research, when we disjoin an workstation from the domain, its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it.

     

    You can run the following command to query all disabled computer objects:

     

    Dsquery computer –disabled

     

    Hope the information is helpful.

    Wednesday, April 15, 2009 7:02 AM
  • Hi,

     

    Yes, only Administrators can change the identification of this computer.

     

    When you disjoin a computer with local administrator account, a credential box will prompt for you to enter the name and password of an account with permission to remove this computer from the domain. If the user account has sufficient permission to remove this computer from the domain, the computer object will be disabled in Active Directory Users and Computers console.

     

    You can verify it by checking the NetSetup.log file on the client machine:

     

    NetpApplyJoinState: status of disabling account: 0x0   è This means the computer account is disabled successfully.

     

    Or

     

    NetpApplyJoinState: status of disabling account: 0x5   è This means the computer account cannot be disabled, because the user account does not have sufficient permission.

    Tuesday, April 21, 2009 8:21 AM

All replies

  • Actually that should be the case (i.e. computer object should be automatically deleted) as long as the user who performs this procedure has appropriate permissions to the computer object in Active Directory (besides being a member of local Administrators group on the computer itself)

    hth

    Marcin

    Thursday, April 09, 2009 6:03 PM
  • Thanks for the reply. You mentioned right permissions to the computer object in AD. How this would be managed? Can we delegate the right to an specific group of users via OU delegation?


    Thursday, April 09, 2009 7:51 PM
  • You can grant required permissions (Delete Computer objects) directly from the Advanced Security Settings dialog box of the OU where the computer accounts reside. You might want to consider applying this also to computer child objects, which presence might prevent automatic deletion during disjoin operation, but that would depend on the level of control you want to give your support staff...
    DSACLS is another, a bit more painful, approach...

    hth
    Marcin

    Thursday, April 09, 2009 10:27 PM

  • Does the local admin right would be needed besides the Delete Computer objects one given by delegation? I actually would like to skip the local admin right.

    If the workstation gets "un-joined" from AD with a local admin user and added to a workgroup (i.e: localhost\administrator) the computer account will still be showing up on AD. 

    If the workstation gets "un-joined" from AD with a domain user that has local admin rights on the machine (i.e: domainname\username) then the computer account gets updated on AD with a RED X mark showing that does not longer belong to AD. In my case the REDX mark would be sufficient but I am trying to avoid the local admin right step in the middle or if possible the account to be fully removed from AD. 

    Any help on this?  
    llara
    Tuesday, April 14, 2009 9:33 PM
  • In general, you rely on having local admin privileges (via membership in the local Administrators group) to remove computer from the domain. This applies to both domain and local accounts.

    Marcin

    Tuesday, April 14, 2009 11:30 PM
  • Hi,

     

    Based on my research, when we disjoin an workstation from the domain, its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it.

     

    You can run the following command to query all disabled computer objects:

     

    Dsquery computer –disabled

     

    Hope the information is helpful.

    Wednesday, April 15, 2009 7:02 AM
  • How do you disjoin a computer from your domain, in other words what user account does your helpdesk/analyst has on AD.
    A regular users can't disjoin a computer from AD. But a local admin user could do it, if that is the case I have notice that the computer account will not be shown as DISABLED.

    So far using delegation over the Computer OU does not give the right to the user to disjoin the computer from AD (right click my computer and when going to CHANGE it's grey out. 

    You said  " when we disjoin an workstation from the domain its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it."

    in order to do that what level of access does your user account has when disjoining the compt accout from the domain?

    llara
    Sunday, April 19, 2009 8:57 PM
  • Hi,

     

    Yes, only Administrators can change the identification of this computer.

     

    When you disjoin a computer with local administrator account, a credential box will prompt for you to enter the name and password of an account with permission to remove this computer from the domain. If the user account has sufficient permission to remove this computer from the domain, the computer object will be disabled in Active Directory Users and Computers console.

     

    You can verify it by checking the NetSetup.log file on the client machine:

     

    NetpApplyJoinState: status of disabling account: 0x0   è This means the computer account is disabled successfully.

     

    Or

     

    NetpApplyJoinState: status of disabling account: 0x5   è This means the computer account cannot be disabled, because the user account does not have sufficient permission.

    Tuesday, April 21, 2009 8:21 AM
  • Hello Marcin,

    I have given a user the create and delete computer objects but still after domain unjoin the object stays disabled but not deleted..
    Isaac Oben MCITP:EA, MCSE
    Wednesday, February 03, 2010 5:50 PM
  • We are having the same issue.  Is there anyway to delete a Computer Object when it is disjoined from the domain?  Our DC's are running Windows Server 2008 R2 x64.
    Wednesday, September 01, 2010 4:08 PM
  • This Microsoft article says that by disjoining a computer from the domain it will be deleted from Active Directory:

    http://technet.microsoft.com/en-us/library/cc754624.aspx

    Additional considerations
    "You can also delete a computer account by disjoining the computer from the domain."

    Wednesday, September 01, 2010 4:14 PM
  • You have to use Domain Admin credential when you do it
     
    If you use a local Admin credentials it will remove the machine from the Domain but it does not have the authority to remove the account from the Domain.
     
    Explicitly use the Domain Admin credntials by prefixing the username with the Domain name:
     
    User:  domain\administrator
    Password: *********
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "ColbyTrio" <=?utf-8?B?Q29sYnlUcmlv?=> wrote in message news:28efe9da-f405-41fa-82fd-900917484f78...

    This Microsoft article says that by disjoining a computer from the domain it will be deleted from Active Directory:

    http://technet.microsoft.com/en-us/library/cc754624.aspx

    Additional considerations
    "You can also delete a computer account by disjoining the computer from the domain."

    Wednesday, September 01, 2010 8:13 PM