Share via

remove computer from domain

windows0583 41 Reputation points
2021-11-10T22:38:51.813+00:00

Hello,

I am trying to remove computers from the domain with a powershell script that automates the entire process.
I will be using the Local Admin. credentials to remove the devices from the domain so users don't have to type in anything.
I have encrypted the password with the following commands:

Creating a Secure Password
$userPassword = read-host -AsSecureString
$stringObject = ConvertFrom-SecureString $userPassword
$stringObject | Set-Content -Path "C:...path"

Removing from the Domain
$userName = '.\LocalAdminUserName'
$pw = Get-Content "C:\path to $stringObjectPassword"
$securePW = $pw | ConvertTo-SecureString -AsPlainText -Force
$plainCred = New-Object System.Management.automation.pscredential -ArgumentList ($userName, $securePW)
Remove-Computer -UnjoinDomainCredential $plainCred -PassThru -Restart -Force -WorkgroupName 'WORKGROUP'

I keep getting this error that doesn't make sense:

Remove-Computer : Failed to unjoin computer 'Computer Name' from domain 'Domain Name' with the following error message:
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Can someone help?

Windows for business | Windows Server | User experience | PowerShell
0 comments
Answer accepted by question author
  1. Clément BETACORNE 2,496 Reputation points
    2021-11-11T17:56:05.91+00:00

    Hello,

    I've tested your script and I got the same issue, so I modified your script
    Below the script modified 

    $userPassword = Read-Host -AsSecureString
$stringObject = ConvertFrom-SecureString $userPassword
$stringObject | Set-Content -Path <yourpath>

$userName = <yourusername>
$pw = Get-Content <yourpath>
$securePW = ConvertTo-SecureString -String $pw
$plainCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($userName, $securePW)
Remove-Computer -UnjoinDomainCredential $plainCred -PassThru -Force -WorkgroupName "WORKGROUP"

    The error message was different, it was access denied, so I've tried with a domain account instead of a local account and it worked.
    I suppose this command works only with a domain account because this cmdlet try to disable the computer account in Active Directory and a local user does not have the right to do it.
    If you want to automate the process you should create a service account with the local admin right on your computers and rights on the computer objects in your Active Directory

    Best Regards,

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.