none
Removing a computer from a domain does not deletes the computer object fom active directory.

    Question

  • I know that that removing a computer from a domain (adding the computer to a workgroup) does not deletes the computer object fom active directory.

    For that two happen will be just enough to use a local admin when joining the computer to a WORKGROUP?

    Would be any chance to have the computer removed when it is joined to a WORKGROUP?
    Thursday, April 09, 2009 5:53 PM

Answers

  • Hi,

     

    Based on my research, when we disjoin an workstation from the domain, its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it.

     

    You can run the following command to query all disabled computer objects:

     

    Dsquery computer –disabled

     

    Hope the information is helpful.

    Wednesday, April 15, 2009 7:02 AM
    Moderator
  • Hi,

     

    Yes, only Administrators can change the identification of this computer.

     

    When you disjoin a computer with local administrator account, a credential box will prompt for you to enter the name and password of an account with permission to remove this computer from the domain. If the user account has sufficient permission to remove this computer from the domain, the computer object will be disabled in Active Directory Users and Computers console.

     

    You can verify it by checking the NetSetup.log file on the client machine:

     

    NetpApplyJoinState: status of disabling account: 0x0   è This means the computer account is disabled successfully.

     

    Or

     

    NetpApplyJoinState: status of disabling account: 0x5   è This means the computer account cannot be disabled, because the user account does not have sufficient permission.

    Tuesday, April 21, 2009 8:21 AM
    Moderator

All replies

  • Actually that should be the case (i.e. computer object should be automatically deleted) as long as the user who performs this procedure has appropriate permissions to the computer object in Active Directory (besides being a member of local Administrators group on the computer itself)

    hth

    Marcin

    Thursday, April 09, 2009 6:03 PM
  • Thanks for the reply. You mentioned right permissions to the computer object in AD. How this would be managed? Can we delegate the right to an specific group of users via OU delegation?


    Thursday, April 09, 2009 7:51 PM
  • You can grant required permissions (Delete Computer objects) directly from the Advanced Security Settings dialog box of the OU where the computer accounts reside. You might want to consider applying this also to computer child objects, which presence might prevent automatic deletion during disjoin operation, but that would depend on the level of control you want to give your support staff...
    DSACLS is another, a bit more painful, approach...

    hth
    Marcin

    Thursday, April 09, 2009 10:27 PM

  • Does the local admin right would be needed besides the Delete Computer objects one given by delegation? I actually would like to skip the local admin right.

    If the workstation gets "un-joined" from AD with a local admin user and added to a workgroup (i.e: localhost\administrator) the computer account will still be showing up on AD. 

    If the workstation gets "un-joined" from AD with a domain user that has local admin rights on the machine (i.e: domainname\username) then the computer account gets updated on AD with a RED X mark showing that does not longer belong to AD. In my case the REDX mark would be sufficient but I am trying to avoid the local admin right step in the middle or if possible the account to be fully removed from AD. 

    Any help on this?  
    llara
    Tuesday, April 14, 2009 9:33 PM
  • In general, you rely on having local admin privileges (via membership in the local Administrators group) to remove computer from the domain. This applies to both domain and local accounts.

    Marcin

    Tuesday, April 14, 2009 11:30 PM
  • Hi,

     

    Based on my research, when we disjoin an workstation from the domain, its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it.

     

    You can run the following command to query all disabled computer objects:

     

    Dsquery computer –disabled

     

    Hope the information is helpful.

    Wednesday, April 15, 2009 7:02 AM
    Moderator
  • How do you disjoin a computer from your domain, in other words what user account does your helpdesk/analyst has on AD.
    A regular users can't disjoin a computer from AD. But a local admin user could do it, if that is the case I have notice that the computer account will not be shown as DISABLED.

    So far using delegation over the Computer OU does not give the right to the user to disjoin the computer from AD (right click my computer and when going to CHANGE it's grey out. 

    You said  " when we disjoin an workstation from the domain its computer account is not automatically deleted from the domain. Instead it is marked as "Disabled" and we need to manually delete it."

    in order to do that what level of access does your user account has when disjoining the compt accout from the domain?

    llara
    Sunday, April 19, 2009 8:57 PM
  • Hi,

     

    Yes, only Administrators can change the identification of this computer.

     

    When you disjoin a computer with local administrator account, a credential box will prompt for you to enter the name and password of an account with permission to remove this computer from the domain. If the user account has sufficient permission to remove this computer from the domain, the computer object will be disabled in Active Directory Users and Computers console.

     

    You can verify it by checking the NetSetup.log file on the client machine:

     

    NetpApplyJoinState: status of disabling account: 0x0   è This means the computer account is disabled successfully.

     

    Or

     

    NetpApplyJoinState: status of disabling account: 0x5   è This means the computer account cannot be disabled, because the user account does not have sufficient permission.

    Tuesday, April 21, 2009 8:21 AM
    Moderator
  • Hello Marcin,

    I have given a user the create and delete computer objects but still after domain unjoin the object stays disabled but not deleted..
    Isaac Oben MCITP:EA, MCSE
    Wednesday, February 03, 2010 5:50 PM
  • We are having the same issue.  Is there anyway to delete a Computer Object when it is disjoined from the domain?  Our DC's are running Windows Server 2008 R2 x64.
    Wednesday, September 01, 2010 4:08 PM
  • This Microsoft article says that by disjoining a computer from the domain it will be deleted from Active Directory:

    http://technet.microsoft.com/en-us/library/cc754624.aspx

    Additional considerations
    "You can also delete a computer account by disjoining the computer from the domain."

    Wednesday, September 01, 2010 4:14 PM
  • You have to use Domain Admin credential when you do it
     
    If you use a local Admin credentials it will remove the machine from the Domain but it does not have the authority to remove the account from the Domain.
     
    Explicitly use the Domain Admin credntials by prefixing the username with the Domain name:
     
    User:  domain\administrator
    Password: *********
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "ColbyTrio" <=?utf-8?B?Q29sYnlUcmlv?=> wrote in message news:28efe9da-f405-41fa-82fd-900917484f78...

    This Microsoft article says that by disjoining a computer from the domain it will be deleted from Active Directory:

    http://technet.microsoft.com/en-us/library/cc754624.aspx

    Additional considerations
    "You can also delete a computer account by disjoining the computer from the domain."

    Wednesday, September 01, 2010 8:13 PM
  • They must have updated the article because it now says the exact opposite.  

    If you disjoin a computer from a domain, the computer remains as a disabled account in Active Directory.

    Tuesday, May 12, 2015 1:41 PM
  • Can i configure AD to automatically remove a computer account from AD when i disjoin computer from a domain?

    Wednesday, August 05, 2015 5:01 AM
  • > Can i configure AD to automatically remove a computer account from AD
    > when i disjoin computer from a domain?
     
    Short answer: No.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, August 05, 2015 10:42 AM
  • Once again Microcrap has shown they have no understanding of how their product really works and is used in the real world.

    Here they as is usual have made what should be a simple process a STUPID EXTREMELY TIME WASTING PAIN IN THE TAIL END!!!!!!!!!!

    There is no excuse for such extreme stupidity. At no time should I need to make ALL my techs members of the Domain Admins group just to remove a PC from the domain and have it actually DELETE it fro the Computers OU so that I DO NOT GET SPN NOT UNIQUE FOREST-WIDE ERRORS AND HAVE TO MANUALLY DELETE THEM WASTING MUCH TIME AND ENERGY. THAT IS RIDICULOUS AND STUPID!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    We  have THOUSANDS of PCs to manage, often needing to move them from one domain to another in our forest. This should be as simple as using the built in tools to disjoin the domain, reboot, and then join the other domain, using an AD account with FULL control over the computer OU etc., BUT NOT A MEMBER OF THE DOMAIN ADMINS group. But NO MICROCRAP decided you have to take a bunch of extra time and go dig up each PC in AD using the AD tools, NOT INSTALLED BY DEFAULT ON EVERY PC DUH!!!!!!!, and manually delete that, adding up to 5 minutes of work per PC being moved from one domain to the next. UNACCEPTABLE AND OBVIOUSLY A TOTALLY STUPID DESIGN. Why even allow someone to remove a PC from the domain if IT IS NOT GOING TO DELETE IT so that it can be moved to another domain etc. with NO SPN errors!!!! HOW STUPID and devoid of common sense!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    I work in IT support. One of my many duties is to setup and configure desktop computers. This includes joining and dis-joining computers to one of the 2 domains we have in our forest. (Currently running Server 2012 R2 will soon be upgraded to Server 2016 for our domain controllers)

    When ever I remove a computer from one of our domains it leaves the computer in the "Computer" OU for that domain and this is causing major problems for us.

    We have thousands of PCs. These PCs may be on our "staff" domain or they may be on our "student" domain. Many times we need to re-purpose a bunch of these PCs and remove them from one domain and join them to the other one. Unfortunately EVERY TIME we try to do that we get an SPN error. It says "The operation failed because SPN value provided for addition/modification is not unique forest-wide".

    I have through many hours of research, testing and verification narrowed the cause of this problem down to the fact that the PC is NOT being deleted from the computer OU in AD when I dis-join it. Yes it is "disabled" but that does not help me. As long as that computer is listed in the Computer OU for that domain I cannot join the other one without stopping what I am doing, going to another PC where I have the Active Directory Tools installed, not usually anywhere near where I am working, and MANUALLY remove it. Because of this BUG, yes it is a BUG, or it is a DESIGN MISTAKE, as it prevents a COMMON SINCE need from being efficiently executed, all the techs here have to WAIST lots of time going in to the AD tools and manually deleting computers that OBVIOUSLY should have been deleted when they where dis-joined from the domain.

    All of our techs with this responsibility are kept in an AD group called TSG which stands for Technical Support Group. In the computer OU security settings that group has "Full" permissions. In addition to that the "Protect object from accidental deletion" check box under the OU's "Object" tab is unchecked.

    What else must be done so that without question EVERY TIME one of the techs dis-joins a PC from the domain IT IS removed from the computer OU without ever needing to manually delete it?

    Placing the techs in  to the Domain Admins group is not the answer and would violate security principles 101.

    So how do I change this ONE BEHAVIOR without affecting anything else.

    This obviously very very very poorly thought out default of disabling but leaving the PCs in the computer OU after they have been dis-joined needs to be fixed or they need to stop checking for duplicate SPNs before letting a PC get joined to a domain!

    During my many days of research on this problem I ran across an article that indicated there might be an attribute setting in the OU that could fix this issue, but it got lost among the hundreds of web pages I had open at the time during my research. Perhaps someone could point me to that Microsoft article. I would be very grateful for that.

    Anyway, the bottom line is that AD must delete the PC from the computer OU every time, without exception, when it is dis-joined from the domain, PERIOD.

    Thanks to all who can help find a REAL solution for this most aggravating defect in Windows AD.

    Ralph

    Monday, October 16, 2017 6:13 PM