Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Remove computer from domain and add to workgroup

Posted on 2010-09-04
18
Medium Priority
?
5,348 Views
Last Modified: 2013-12-23
I have found the following code to remove a computer from a domain and add to a workgroup.  First, will this code work?  Second, can I change the value of NETSETUP_ACCT_DELETE so that it deletes the computer account rather than disabling it?

Const NETSETUP_ACCT_DELETE = 2 'Disables computer account in domain
strPassword = "password"
strUser = "DomainMgr"

Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName

Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
 strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'")
strDomain = objComputer.Domain
intReturn = objComputer.UnjoinDomainOrWorkgroup _
 (strPassword, strDomain & "\" & strUser, NETSETUP_ACCT_DELETE)


'Then join to a workgroup
objComputer.JoinDomainOrWorkgroup("workgroup")

Open in new window

0
Comment
Question by:bpl5000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 9
18 Comments
 
LVL 8

Expert Comment

by:spinzr0
ID: 33604439
This method will work to leave to domain.  It will not delete the computer account from AD.  Do to that, use this code.
Sub DeleteComputer(sDomain, sComputerName)
    On Error Resume Next

    If Not Right(sComputerName, 1) = "$" Then sComputerName = sComputerName & "$"
    
    Const ADS_NAME_INITTYPE_GC = 3
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    
    Set oTrasnlate = CreateObject("NameTranslate")
    oTrasnlate.Init ADS_NAME_INITTYPE_GC, ""
    oTrasnlate.Set ADS_NAME_TYPE_NT4, sDomain & "\" & sComputerName
    
    If Err.Number <> 0 Then
        Msgbox = "Computer not found"
    Else
        Set oComputer = GetObject("LDAP://" & oTrasnlate.Get(ADS_NAME_TYPE_1779))
        If Err.Number <> 0 Then
            Msgbox "Computer not found"
        Else
            oComputer.DeleteObject(0)
            Msgbox "Deleted computer."
        End If
    End If
End Sub

Open in new window

0
 
LVL 5

Author Comment

by:bpl5000
ID: 33604659
Ok, but the user who is logged in will not have the rights to remove the object from the domain so I need a script that will specify a username/password that has rights.
0
 
LVL 8

Expert Comment

by:spinzr0
ID: 33604666
No probelm.  Will post shortly.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 8

Expert Comment

by:spinzr0
ID: 33604680
Here you go.
Sub DeleteComputer(sDomain, sComputerName, sAdminUser, sAdminPass)
    On Error Resume Next

    If Not Right(sComputerName, 1) = "$" Then sComputerName = sComputerName & "$"

    Const ADS_NAME_INITTYPE_DOMAIN = 1
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    
    Set oTrasnlate = CreateObject("NameTranslate")
    oTranslate.InitEx ADS_NAME_INITTYPE_DOMAIN, sDomain, sAdminUser, sDomain, sAdminPass
    oTrasnlate.Set ADS_NAME_TYPE_NT4, sDomain & "\" & sComputerName
    
    If Err.Number <> 0 Then
        Msgbox = "Computer not found"
    Else
        Set oComputer = GetObject("LDAP://" & oTrasnlate.Get(ADS_NAME_TYPE_1779))
        If Err.Number <> 0 Then
            Msgbox "Computer not found"
        Else
            oComputer.DeleteObject(0)
            Msgbox "Deleted computer."
        End If
    End If
End Sub

Open in new window

0
 
LVL 5

Author Comment

by:bpl5000
ID: 33605240
Oh okay, I see... you are giving me code that deletes the computer account from the domain.  I do want to accomplish that, but I mainly want to remove the computer from the domain and add it to a workgroup.
0
 
LVL 8

Expert Comment

by:spinzr0
ID: 33605276
the code you have will remove it from the domain and join the workgroup.  I was just adding how to remove it from AD.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33605569
I have tried the code I posted on a Windows 7 workstation and it doesn't seem to work.  Finally I tried setting Const NETSETUP_ACCT_DELETE equal to 0 and that worked.  Using 2 is suppose to disable the computer account, but I guess that's not important since I am going to delete the account.  Now that I have my code working, I'll add your code and test it.  Thanks for the help!
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33606656
The code ran without errors, but the computer account still remained in AD.  I'll remove the "on error resume next" and see if I get an error message.
0
 
LVL 8

Expert Comment

by:spinzr0
ID: 33606774
How'd it go?
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33607100
I get the following error...

Object required: 'oTranslate'
Code: 800A01A8

The error happens on this line...

oTranslate.InitEx ADS_NAME_INITTYPE_DOMAIN, sDomain, sAdminUser, sDomain, sAdminPass

Any ideas why?
0
 
LVL 8

Expert Comment

by:spinzr0
ID: 33607280
I have a typo in my code, sorry.

the line: Set oTrasnlate = CreateObject("NameTranslate")
should be: Set oTranslate = CreateObject("NameTranslate")
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33608353
Can't believe I didn't notice that when I copied and pasted it!  Now I'm getting another error...

"Name translation: Could not find the name or insufficient right to see name."

It happens on this line...

    oTranslate.Set ADS_NAME_TYPE_NT4, sDomain & "\" & sComputerName

Could this be because the computer has been removed from the domain?  I'm thinking it should still work because we are authenticating to the domain.
0
 
LVL 8

Expert Comment

by:spinzr0
ID: 33608376
It should still work.  You could try deleting it before you remove it from the domain.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33608758
Ok, I found out that when I supply the domain/computername, it needs to be the short domain name (MyOrg instead of MyOrg.local.  When running the oTranslate.InitEx, the full domain name works.

Now I get to "oComputer.DeleteObject(0)" and I get "permission denied."  Is this because I'm not using my credentials on this line?  The logged in user will not have rights to delete objects, but the credentials I supply will have.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 33608784
I think when I "Set oComputer", I need to use credentials.  Do you know if that's possible?
0
 
LVL 8

Expert Comment

by:spinzr0
ID: 33608831
This should do it.  Please note you also need to supply a domain controller.
Sub DeleteComputer(sDomain, sComputerName, sAdminUser, sAdminPass, sDomainController)
    On Error Resume Next

    If Not Right(sComputerName, 1) = "$" Then sComputerName = sComputerName & "$"

    Const ADS_NAME_INITTYPE_DOMAIN = 1
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    Const ADS_SECURE_AUTHENTICATION = &H1
    Const ADS_SERVER_BIND = &H200
    
    Set oTranslate = CreateObject("NameTranslate")
    oTranslate.InitEx ADS_NAME_INITTYPE_DOMAIN, sDomain, sAdminUser, sDomain, sAdminPass
    oTranslate.Set ADS_NAME_TYPE_NT4, sDomain & "\" & sComputerName
    
    If Err.Number <> 0 Then
        Msgbox = "Computer not found"
    Else
        Set oLDAP = GetObject("LDAP:")
        Set oComputer = oLDAP.OpenDSObject("LDAP://" & sDomainController & "/" & oTrasnlate.Get(ADS_NAME_TYPE_1779), sDomain & "\" & sAdminUser, sAdminPass, ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)

        If Err.Number <> 0 Then
            Msgbox "Computer not found"
        Else
            oComputer.DeleteObject(0)
            Msgbox "Deleted computer."
        End If
    End If
End Sub

Open in new window

0
 
LVL 8

Accepted Solution

by:
spinzr0 earned 2000 total points
ID: 33608863
And i typoed otranslate again.  Corrected.
Sub DeleteComputer(sDomain, sComputerName, sAdminUser, sAdminPass, sDomainController)
    On Error Resume Next

    If Not Right(sComputerName, 1) = "$" Then sComputerName = sComputerName & "$"

    Const ADS_NAME_INITTYPE_DOMAIN = 1
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    Const ADS_SECURE_AUTHENTICATION = &H1
    Const ADS_SERVER_BIND = &H200
    
    Set oTranslate = CreateObject("NameTranslate")
    oTranslate.InitEx ADS_NAME_INITTYPE_DOMAIN, sDomain, sAdminUser, sDomain, sAdminPass
    oTranslate.Set ADS_NAME_TYPE_NT4, sDomain & "\" & sComputerName
    
    If Err.Number <> 0 Then
        Msgbox = "Computer not found"
    Else
        Set oLDAP = GetObject("LDAP:")
        Set oComputer = oLDAP.OpenDSObject("LDAP://" & sDomainController & "/" & oTranslate.Get(ADS_NAME_TYPE_1779), sDomain & "\" & sAdminUser, sAdminPass, ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)

        If Err.Number <> 0 Then
            Msgbox "Computer not found"
        Else
            oComputer.DeleteObject(0)
            Msgbox "Deleted computer."
        End If
    End If
End Sub

Open in new window

0
 
LVL 5

Author Comment

by:bpl5000
ID: 33613398
Works awesome!  I greatly appreciate all the help!
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Here's a look at newsworthy articles and community happenings during the last month.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question