Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Delete computer account from AD from a workstation not on domain

Posted on 2009-05-06
6
Medium Priority
?
1,506 Views
Last Modified: 2012-05-06
Hello,

I'm looking for a script that will prompt a user for a computername, then search AD for that computername, and delete it.  The script needs to be able to run from an XP machine that is not a member of the domain (yet).  

I've found several vbscripts on EE's website that query AD and delete computer accounts, and they work great as long as you run them from a machine that is on the domain.  

Basically, I'd like a script that prompts the user for not only the machine name they'd like to delete, but also for their admin username and password.  I've found one vbscript on another post courtesy of kelvinight, but it needs to be able to prompt the user for network credentials as well as the computer name...  

Any help would be appreciated.  I'm including the vbscript from kelvinight below.  Here's the question that came from:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_24062723.html
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = "test\admin"
objConnection.Properties("Password") = "home"
objConnection.Properties("Encrypt Password") = True
objConnection.Properties("ADSI Flag") = 1
 
strComputer = "test"
strDomain = "srv.test.com"
 
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
 
objCommand.Properties("Page Size") = 100
objCommand.Properties("Cache Results") = False
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 
objCommand.CommandText = _
    "SELECT ADsPath FROM 'LDAP://" & strDomain & "' WHERE objectCategory='computer' " & _
        "AND Name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
 
objRecordSet.MoveFirst
 
strADsPath = ""
While Not objRecordSet.EOF
    strADsPath = objRecordSet.Fields("ADsPath").Value
    objRecordSet.MoveNext
Wend
If strADsPath = "" Then
      MsgBox "Computer not found."
Else
      MsgBox "Computer path: " & strADsPath
      Set objNS = GetObject("LDAP:")
      Set objComputer =  objNS.OpenDSObject(strADsPath, "test\admin", "home",ADS_SECURE_AUTHENTICATION)
        objComputer.DeleteObject (0)
End If

Open in new window

0
Comment
Question by:damoncf1234
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 7

Accepted Solution

by:
Hubasan earned 1600 total points
ID: 24317375
Hi damoncf1234,
I have included all the things you requested from above. If you have any questions, please let me know.

Here try this:
On Error Resume Next
 
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
Const cTitle = "Delete Computer from Domain"
Set oWS = CreateObject("WScript.Shell")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
 
sUser = InputBox("Please type your Domain and UserID and click OK",cTitle ,"DOMAIN\UserID")
sPassword = InputBox("Please type in your Network password and click OK",cTitle,"YourPasswordHere")
strComputer = InputBox("Please type in ComputerName of the computer you want to delete",cTitle,"ComputerNameHere")
objConnection.Properties("User ID") = sUser
objConnection.Properties("Password") = sPassword
objConnection.Properties("Encrypt Password") = True
objConnection.Properties("ADSI Flag") = 1
 
sUserDom = Split(sUser,"\")
strDomain = sUserDom(0)
 
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
 
objCommand.Properties("Page Size") = 100
objCommand.Properties("Cache Results") = False
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 
objCommand.CommandText = _
    "SELECT ADsPath FROM 'LDAP://" & strDomain & "' WHERE objectCategory='computer' " & _
        "AND Name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
 
objRecordSet.MoveFirst
 
strADsPath = ""
While Not objRecordSet.EOF
    strADsPath = objRecordSet.Fields("ADsPath").Value
    objRecordSet.MoveNext
Wend
If strADsPath = "" Then
      oWS.Popup "Computer not found in domain: " & strDomain, ,cTitle , vbExclamation
Else
      oWS.Popup "Computer path: " & strADsPath, ,cTitle,vbInformation
      Set objNS = GetObject("LDAP:")
      Set objComputer =  objNS.OpenDSObject(strADsPath, sUser, sPassword,ADS_SECURE_AUTHENTICATION)
        objComputer.DeleteObject (0)
      If Err.Number <> 0 Then
      	oWS.Popup "Computer " & strComputer & " NOT deleted from domain: " & strDomain & vbcrlf &_
      	"Error Number: " & Err.Number & vbCrLf &_
      	"Error Description: " & Err.Description, ,cTitle, vbCritical
      End If
End If

Open in new window

0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 400 total points
ID: 24317439
Have a go with this.

I've tested from an untrusted domain, rather than a workgroup but the principal is the same. The script prompts you for:

The FQDN of the domain controller to connect to
User name (DOMAIN\USER)
Password
Machine account name to delete

I've changed the logic of the code a little and removed some unnecessary lines.

Let me know if this works for you.
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
 
strLDAPServer = InputBox("Please Enter The DC To Connect To","Enter DC Name")
strUser = InputBox("Please Enter The User Name To Perform Operation - DOMAIN\USER","Enter User Name")
strPass = InputBox("Please Enter The Password To Perform Operation","Enter Password")
strComputer = InputBox("Please Enter The CN Of the machine to delete","Enter Machine")
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = strUser
objConnection.Properties("Password") = StrPass
objConnection.Properties("Encrypt Password") = True
objConnection.Properties("ADSI Flag") = 1
 
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
 
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 
objCommand.CommandText = "SELECT ADsPath FROM 'LDAP://" & strLDAPServer & "' WHERE objectCategory='computer' AND Name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
 
If objRecordset.RecordCount = 1 Then
	objRecordSet.MoveFirst
	strADsPath = objRecordSet.Fields("ADsPath").Value
    WScript.Echo "Computer path: " & strADsPath
	Set objNS = GetObject("LDAP:")
	Set objComputer =  objNS.OpenDSObject(strADsPath, strUser, strPass,ADS_SECURE_AUTHENTICATION)
	objComputer.DeleteObject (0)
	WScript.Echo "Found and deleted computer account from path: " & strADsPath
Else
	If objRecordset.RecordCount = 0 Then MsgBox "Computer not found." Else WScript.Echo "Ambiguous search result. Aborting"
End If

Open in new window

0
 

Author Comment

by:damoncf1234
ID: 24329667
Hubasan, thanks.  That script worked great.  

Tony, thanks for the help as well.  One thing with your proposed solution; the user's admin password was not masked, so anyone looking over someone's shoulder would be able to see a password being typed in...
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Closing Comment

by:damoncf1234
ID: 31578509
Thanks for the help.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24333864
Sorry Hubasan - I didn''t refresh before posting.

damoncf1234 - I don't think either script masks user input. I'm not sure how you would do this with VBS.

Glad you got it sorted though...
0
 
LVL 7

Expert Comment

by:Hubasan
ID: 24337217
No problem bluntTony,

It happened a lot to me when I first started here, so now I just refresh the thread before posting to make sure users are not getting help from another expert :-)

damoncf1234,

Masking the password is not possible in VBS, while using a default wscript.exe provider as a default. So unless you were to use HTA with embedded VBS which is an unnecessary complication in my opinion, you will not be able to do it.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question