Computer object results when disjoined from domain

Question

Does anyone happen to know what the official Microsoft documentation states about what happens when a Win10 laptop is disjoined from a 2016 functional level directory? There is conflicting information from various sources about whether or not the computer object gets disabled and/or deleted from its OU. I've worked for 2 different companies with differing results, one that deleted the object and one that does nothing with the object.

I did see this post and running dsquery computer -inactive returns "failed no value specified for 'inactive' and dsquery computer -disabled returns a handful of objects
https://social.msdn.microsoft.com/Forums/en-US/694229b8-d21c-49f3-a8c9-31f49e3930a0/disjoined-computer-object?forum=winserverDS

Answer 1

That's the default action. When you disjoin computers from the domain, the account remains in the directory. It gets marked Disabled

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

Hello DrummerBoy

This discrepancy is mostly caused by the domain access level (besides the local Administrators group) of the account used to disjoin the client. If the account has enough permissions to delete, it will be deleted. If not it will be disabled.

You can verify it by checking the NetSetup.log file on the client machine:

NetpApplyJoinState: status of disabling account: 0x0 This means the computer account is disabled successfully.

Or

NetpApplyJoinState: status of disabling account: 0x5 This means the computer account cannot be disabled, because the user account does not have sufficient permission.

You can check the Disabled computer objects in the domain with: Dsquery computer –disabled

---

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

@Limitless Technology I'll review the netsetup.log but I disjoined a domain associated laptop using an acct that belongs to both the domain admin and enterprise admin groups and yet the computer object remains intact in AD and it did not disable the object. I'm very certain in another business domain I did the same procedure and it did in fact remove the object from AD after about an hour or so without any further interaction on my part.

Answer 4

With obvious laptop and domain name changes here's the netsetup log results from the domain disjoin. From what I've gathered 0x0 is a successful status change. It did not disable the laptop in AD and it did not remove its entry in DNS.

02/03/2022 12:12:20:434 -----------------------------------------------------------------
02/03/2022 12:12:20:434 NetpValidateName: checking to see if 'LAPTOP' is valid as type 1 name
02/03/2022 12:12:20:450 NetpCheckNetBiosNameNotInUse for 'LAPTOP' [MACHINE] returned 0x0
02/03/2022 12:12:20:450 NetpValidateName: name 'LAPTOP' is valid for type 1
02/03/2022 12:12:20:450 -----------------------------------------------------------------
02/03/2022 12:12:20:450 NetpValidateName: checking to see if 'LAPTOP.local.domain.dcn' is valid as type 5 name
02/03/2022 12:12:20:450 NetpValidateName: name 'LAPTOP.local.domain.dcn' is valid for type 5
02/03/2022 12:12:20:466 -----------------------------------------------------------------
02/03/2022 12:12:20:466 NetpValidateName: checking to see if 'TEMP' is valid as type 2 name
02/03/2022 12:12:29:585 NetpCheckNetBiosNameNotInUse for 'TEMP' [ Workgroup as MACHINE] returned 0x0
02/03/2022 12:12:29:585 NetpValidateName: name 'TEMP' is valid for type 2
02/03/2022 12:12:29:585 -----------------------------------------------------------------
02/03/2022 12:12:29:585 NetpUnJoinDomain: unjoin from 'local' using '(null)' creds, options: 0x4
02/03/2022 12:12:29:585 OS Version: 10.0
02/03/2022 12:12:29:585 Build number: 19043 (19041.vb_release.191206-1406)
02/03/2022 12:12:29:585 SKU: Windows 10 Pro
02/03/2022 12:12:29:585 Architecture: 64-bit (AMD64)
02/03/2022 12:12:29:585 NetpUnJoinDomain: status of getting computer name: 0x0
02/03/2022 12:12:29:585 NetpUnJoinDomain: DsrIsDeviceJoined returned false
02/03/2022 12:12:29:585 NetpApplyJoinState: actions: 0x22b805a
02/03/2022 12:12:29:585 NetpDsGetDcName: trying to find DC in domain 'local', flags: 0x1010
02/03/2022 12:12:29:585 NetpDsGetDcName: found DC '\DC1' in the specified domain
02/03/2022 12:12:29:600 NetpApplyJoinState: status of connecting to dc '\DC1': 0x0
02/03/2022 12:12:30:629 NetpApplyJoinState: status of stopping and setting start type of Netlogon to 16: 0x0
02/03/2022 12:12:30:629 NetpApplyJoinState: NON FATAL: status of removing DNS registrations: 0x0
02/03/2022 12:12:30:662 NetpManageMachineAccountWithSid: status of disabling account 'LAPTOP$' on '\DC1': 0x0
02/03/2022 12:12:30:662 NetpApplyJoinState: status of disabling account: 0x0
02/03/2022 12:12:30:677 NetpApplyJoinState: status of setting LSA pri. domain: 0x0
02/03/2022 12:12:30:677 NetpApplyJoinState: status of setting LSA machine acct info 0x0
02/03/2022 12:12:30:677 NetpApplyJoinState: status of clearing ComputerNamePhysicalDnsDomain: 0x0
02/03/2022 12:12:30:693 NetpApplyJoinState: status of removing from local groups: 0x0
02/03/2022 12:12:30:740 NetpApplyJoinState: status of disconnecting from '\DC1': 0x0
02/03/2022 12:12:30:740 NetpUnJoinDomain: status: 0x0

Answer 5

dsquery computer -disabled does display the status on a few devices but not the one in question