Solved

Delete computer account from AD from a workstation not on domain

Posted on 2009-05-06
6
1,435 Views
Last Modified: 2012-05-06
Hello,

I'm looking for a script that will prompt a user for a computername, then search AD for that computername, and delete it.  The script needs to be able to run from an XP machine that is not a member of the domain (yet).  

I've found several vbscripts on EE's website that query AD and delete computer accounts, and they work great as long as you run them from a machine that is on the domain.  

Basically, I'd like a script that prompts the user for not only the machine name they'd like to delete, but also for their admin username and password.  I've found one vbscript on another post courtesy of kelvinight, but it needs to be able to prompt the user for network credentials as well as the computer name...  

Any help would be appreciated.  I'm including the vbscript from kelvinight below.  Here's the question that came from:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_24062723.html
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = "test\admin"
objConnection.Properties("Password") = "home"
objConnection.Properties("Encrypt Password") = True
objConnection.Properties("ADSI Flag") = 1
 
strComputer = "test"
strDomain = "srv.test.com"
 
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
 
objCommand.Properties("Page Size") = 100
objCommand.Properties("Cache Results") = False
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 
objCommand.CommandText = _
    "SELECT ADsPath FROM 'LDAP://" & strDomain & "' WHERE objectCategory='computer' " & _
        "AND Name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
 
objRecordSet.MoveFirst
 
strADsPath = ""
While Not objRecordSet.EOF
    strADsPath = objRecordSet.Fields("ADsPath").Value
    objRecordSet.MoveNext
Wend
If strADsPath = "" Then
      MsgBox "Computer not found."
Else
      MsgBox "Computer path: " & strADsPath
      Set objNS = GetObject("LDAP:")
      Set objComputer =  objNS.OpenDSObject(strADsPath, "test\admin", "home",ADS_SECURE_AUTHENTICATION)
        objComputer.DeleteObject (0)
End If

Open in new window

0
Comment
Question by:damoncf1234
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 7

Accepted Solution

by:
Hubasan earned 400 total points
ID: 24317375
Hi damoncf1234,
I have included all the things you requested from above. If you have any questions, please let me know.

Here try this:
On Error Resume Next
 
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
Const cTitle = "Delete Computer from Domain"
Set oWS = CreateObject("WScript.Shell")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
 
sUser = InputBox("Please type your Domain and UserID and click OK",cTitle ,"DOMAIN\UserID")
sPassword = InputBox("Please type in your Network password and click OK",cTitle,"YourPasswordHere")
strComputer = InputBox("Please type in ComputerName of the computer you want to delete",cTitle,"ComputerNameHere")
objConnection.Properties("User ID") = sUser
objConnection.Properties("Password") = sPassword
objConnection.Properties("Encrypt Password") = True
objConnection.Properties("ADSI Flag") = 1
 
sUserDom = Split(sUser,"\")
strDomain = sUserDom(0)
 
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
 
objCommand.Properties("Page Size") = 100
objCommand.Properties("Cache Results") = False
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 
objCommand.CommandText = _
    "SELECT ADsPath FROM 'LDAP://" & strDomain & "' WHERE objectCategory='computer' " & _
        "AND Name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
 
objRecordSet.MoveFirst
 
strADsPath = ""
While Not objRecordSet.EOF
    strADsPath = objRecordSet.Fields("ADsPath").Value
    objRecordSet.MoveNext
Wend
If strADsPath = "" Then
      oWS.Popup "Computer not found in domain: " & strDomain, ,cTitle , vbExclamation
Else
      oWS.Popup "Computer path: " & strADsPath, ,cTitle,vbInformation
      Set objNS = GetObject("LDAP:")
      Set objComputer =  objNS.OpenDSObject(strADsPath, sUser, sPassword,ADS_SECURE_AUTHENTICATION)
        objComputer.DeleteObject (0)
      If Err.Number <> 0 Then
      	oWS.Popup "Computer " & strComputer & " NOT deleted from domain: " & strDomain & vbcrlf &_
      	"Error Number: " & Err.Number & vbCrLf &_
      	"Error Description: " & Err.Description, ,cTitle, vbCritical
      End If
End If

Open in new window

0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 100 total points
ID: 24317439
Have a go with this.

I've tested from an untrusted domain, rather than a workgroup but the principal is the same. The script prompts you for:

The FQDN of the domain controller to connect to
User name (DOMAIN\USER)
Password
Machine account name to delete

I've changed the logic of the code a little and removed some unnecessary lines.

Let me know if this works for you.
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
 
strLDAPServer = InputBox("Please Enter The DC To Connect To","Enter DC Name")
strUser = InputBox("Please Enter The User Name To Perform Operation - DOMAIN\USER","Enter User Name")
strPass = InputBox("Please Enter The Password To Perform Operation","Enter Password")
strComputer = InputBox("Please Enter The CN Of the machine to delete","Enter Machine")
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = strUser
objConnection.Properties("Password") = StrPass
objConnection.Properties("Encrypt Password") = True
objConnection.Properties("ADSI Flag") = 1
 
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
 
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 
objCommand.CommandText = "SELECT ADsPath FROM 'LDAP://" & strLDAPServer & "' WHERE objectCategory='computer' AND Name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
 
If objRecordset.RecordCount = 1 Then
	objRecordSet.MoveFirst
	strADsPath = objRecordSet.Fields("ADsPath").Value
    WScript.Echo "Computer path: " & strADsPath
	Set objNS = GetObject("LDAP:")
	Set objComputer =  objNS.OpenDSObject(strADsPath, strUser, strPass,ADS_SECURE_AUTHENTICATION)
	objComputer.DeleteObject (0)
	WScript.Echo "Found and deleted computer account from path: " & strADsPath
Else
	If objRecordset.RecordCount = 0 Then MsgBox "Computer not found." Else WScript.Echo "Ambiguous search result. Aborting"
End If

Open in new window

0
 

Author Comment

by:damoncf1234
ID: 24329667
Hubasan, thanks.  That script worked great.  

Tony, thanks for the help as well.  One thing with your proposed solution; the user's admin password was not masked, so anyone looking over someone's shoulder would be able to see a password being typed in...
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Closing Comment

by:damoncf1234
ID: 31578509
Thanks for the help.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24333864
Sorry Hubasan - I didn''t refresh before posting.

damoncf1234 - I don't think either script masks user input. I'm not sure how you would do this with VBS.

Glad you got it sorted though...
0
 
LVL 7

Expert Comment

by:Hubasan
ID: 24337217
No problem bluntTony,

It happened a lot to me when I first started here, so now I just refresh the thread before posting to make sure users are not getting help from another expert :-)

damoncf1234,

Masking the password is not possible in VBS, while using a default wscript.exe provider as a default. So unless you were to use HTA with embedded VBS which is an unnecessary complication in my opinion, you will not be able to do it.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question