Computer account of PC removed from domain remains in Active Directory

Posted on 2009-02-18
Last Modified: 2012-06-27
When a tech who is in the domain "Account operators" group logs  onto a PC and takes it out of the domain by putting it into a workgroup, the computer account of that PC will disappear from Acitve Directory. But when a technichan who is not an account operator (but has the delegated right to create & delete computer objects ) removes a PC from the domain by putting it into a workgroup, the computer leaves the domain but the account does not disappear from Active Directory.  I want to enable the technicians to remove a PC from the domain and have the computer account automatically disappear from AD. However, I do not want to  adding their user accounts to the account operators group.  Is there a way to accomplish this?
Question by:bradber
    LVL 5

    Assisted Solution

    As long as you have your computer objects located in their own container I would grant the technician group (I assume you are using groups...if not you need to) full control on computer objects in the OU, not just create/delete, in order to make sure they are unhindered in their tasks.

    Accepted Solution

    Hi LuvJesus

    Thanks for yor response. I'm sure that would work but I am looking for a more granular method, as there are many rights that I do not want to give away to the techs.  They already have the "delete computer object" right but apparently that is not enough. It might be possible to do this without assigning special permissions but it is not apparent to me which one would do the trick. Suggestions?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Suggested Solutions

    There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now