Delete computer account from AD vs Removing it from Domain

Posted on 2007-10-11
Last Modified: 2011-08-18

My supervisor says it is better to remove a computer from the domain instead of deleting it from Active Directory when the PC is only going to be rebuilt under a new name anyways.  Is this correct, or does it make no difference?  I ask only because sometimes a PC gets rebuilt before it is removed from the domain, and by that point it is too late anyways.  He also says that when a PC is removed from the domain, all information about the PC account is removed more cleanly vs just deleting the account.  Is this correct as well?

Question by:miket71
    LVL 9

    Accepted Solution

    That's really only true to say for a Domain Controller (and in that case, it's very true).  If you're destroying the entire OS of the domain member and rebuilding with the same name, then I'd suggest neither disjoining nor deleting ... simply rebuild and rejoin on top of the old account (you'll need sufficient privileges to do so).  If you're going to install it under a new name then simply delete the computer account from AD and perform the reinstall.

    Note that the computer account may have been made a member of a group or been given permission to a resource, deleting it from AD will lose that configuration even if you recreate a new computer account with same name.
    LVL 70

    Assisted Solution

    It makes no difference whatsoever in real terms. Romeoving the computer from the domain has the advantage to removing the trust relationship on both client and server in the same operation but that is about the only advantage
    LVL 11

    Expert Comment

    I don't know of any difference between the two methods.
    LVL 9

    Expert Comment

    ... don't forget, computers also receive permission to resources either directly or via group membership (it's the computer's domain-account-SID that we're interested in preserving).

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now