Remove a computer(Workstation) from the domain

Posted on 2004-10-26
Last Modified: 2008-05-30
Whenever I disconnect a workstation from the network, I would like to have its name removed from the Computers OU in the Active Directory.
Is there a way to do that?
Question by:Chuckbuchan
    LVL 2

    Expert Comment

    As far as Active directory is concerned, the answer is not readily. If you *really* wanted to, I suppose you could script unjoining the domain at logoff, but for 99.9% of people this would not make sense, nor would it guarantee that simply unplugging the machine from the network or power would remove the computer.

    Why? The simple answer is nearly nobody would want to.  

    Whether the computer is on or not (there's no way to distinguish between a computer which is off and one which is disconnected **) most organizations would like that computer to be part of their active directory, as AD can be used for setting up machine policies, software pushes etc...  ).

    I'd have to go back to the idea of "why would you want to?"

    The question suggests there may be something else that you're trying to accomplish, that there may be another approach which will work better.

    ** If your computer supports WOL, then there is some level of presence in the network card drawing power from the network. If the power is unplugged from the system though it still won't report its existence.
    LVL 3

    Expert Comment

    Dear Chuckbuchan:

    Could you please tell me first why you need to do this ??
    LVL 3

    Expert Comment

    The administrator of the domain controller
    can do that.

    Go to start --> all programs --->administrative
    tools ---> active directory users and computers

    find the computer you want to remove in the OU
    then right click the computer and click delete,
    verifty that you want to delete it by clicking
    yes, and that's it!

    If you don't have the "active directory users and
    computers" option in the menu, then do
    the following:

    From the administrator account on the active
    directory server, click start ---> run

    type in "mmc" then enter

    click file ---> add/remove snap in

    click ok, then follow the directions up above.


    Fadi Ramada,
    Network+, Security+
    LVL 2

    Expert Comment

    what you are suggesting is perfect if you want to erase the computer account from Active directory.
    As far as I know, once the computer reboots...It will still believe it's part of the domain, but you'll have an error when trying to loggin into it because the computer account for this machine doesn't exist anymore. When that happens, you'll need to loggin with local admin account in that PC, and manually detach it from the domain. That's it by going to Computer\Properties\Computer Name and moving the computer to a workgroup and then you'll need to restart it.
    Please correct me if I'm wrong...

    There is a way to detach the computer (using a command) from the domain by running a Log Off script, using a command called "netdom" (I think it's part of the W2K Res. Kit).  It can only be done by a user part of the local admin group in that PC. One more thing: to make that computer part of the domain again, you 'll have to do it manually...and It can only be done by an user part (at least) of the Account Operators Group.

    If you can give us some more information of why you want to do would help.
    Thx !



    Author Comment

    the reason I want that is first for inventory purposes. though I am using a third party software that shows all the computers on the network.
    But there is another problem that came up. I can ping 02 computer with different names and they give me the same IP address.
    I flushed DNS, Released the DHCP and it still gives me the same.

    LVL 2

    Expert Comment

    Have you checked the DNS entries in your DNS Server for those two computers ?
    They might have the same IP address there.
    If they do, erase the wrong record...or even better: erase both of them and reboot those two computers so DNS records can be updated.

    Have you tried pinging the ip address to bring the hostname ? IE :  ping -a
    If you get same results, you should also erase PTR records from DNS.

    There is no way two computers can have the same IP address or name in the same network.
    LVL 2

    Accepted Solution

    OK, this really isn't an Active Directory issue then. It's a DNS issue.

    DNS, buy its nature is supposed to keep name-ip mappings around for a while. It does not normally have a mechanism to check for the presence/validity of the entry though (remember DNS was developed long before Active Directory or even reliable TCP/IP connections).

    If you are using your DHCP and Active Directory integrated DNS zone to automatically register DNS entries for machines, then the only way to get this process o go faster, is to set your DNS to scavenge old records.

    Now there is a caveat you need to be careful of. Scavenging old records can kill off some of your static entries.  If you're not running any static entries, then you'll be fine.

    The question is how much overlap are you ready/willing to tolerate? If you're having a non-DHCP machine "register this connection's entry in DNS" then every time you boot the machine, it registers. DHCP the same every time you reboot or release/renew.

    Scavenging, if enabled, runs on entries seven days or older.

    If you have machines which are statically configured, and almost never reboot, then this is not necessarily the right solution for you.

    Go into the DNS console and delete the invalid entry, and it'll be fixed up.
    LVL 3

    Expert Comment

    Dear Chuckbuchan:

    Another solution if you don't want to miss up with your DNS is to see which of the two machines is registered with the IP in the DHCP and change the NIC for the other machine.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Suggested Solutions

    Title # Comments Views Activity
    Configure WPAD via DNS 3 12
    Dns Zone_msdcs not found 4 18
    Computer removal from AD 3 20
    Free VPN for windows 4 19
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

    857 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now