Clients unjoin from domain and still in AD and DNS

Question

We are facing below issues, need your support

1. Clients unjoin from domain without credentials they put any character and can be removed from domain .. how to allow only domain delegated users to remove from domain?
2. When PC unjoin from domain it doesn’t disabled in AD or removed.. checked from multiple PCs and also DNS entry still there from last one week.
3. New Computers are joined to domain but no record of new PCs in DNS.. it happens to 30% of computers. What could be the reason?

Thanks

Answer 1

1. Don't make the users local admins
2. That's the default action. When you disjoin computers from the domain, the account remains in the directory. It gets marked Disabled

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

What could be the reason?

Sounds like the users are administrators. As to users joining domain read on here.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/72448623-3b87-45c4-812e-9a6e0bad6987/disable-users-to-join-computer-to-domain?forum=winserverDS

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

Hello Dear,
Thank you for your question and reaching out.
Based on the information provided,
I suggest you to follow the steps mentioned below and see if that helps.
Assign rights using the Default Domain Group policy:

1. Open the Default Domain Group policy.
2. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
3. Expand User Rights Assignment.
4. Double-click Add workstations to Domain.
5. Check the Define these policy settings box.
6. Press the Add User or Group button.
7. Complete the dialog to add the user or group.
8. Press Apply and OK.

Delegate rights using active directory Users and Computers:

1. Open the Active Directory Users and Computers snap-in.
2. Right-click the container under which you want the computers added, and press Delegate Control.
3. Press Next.
4. Press Add.
5. After adding all the users and/or groups, press Next.
6. Select Create custom task to delegate and press Next.
7. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.
8. Check the Create all child object box and press Next.
9. Press Finish.

---------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 4

Thanks all for the answers but still these aren't helpful.
I tested on many computers these 3 conditions;

logged in to the computers with the local administrator, and unjoined them from the domain it asks for credentials I put any random character & computer removed from domain but records are still there in AD & DNS - Not Removed, not disabled.

Logged in with domain user, unjoined from domain with any random characters & it removes computer from domain but Not disabled in AD.

Logged in with domain user, Unjoined from domain with Domain Credentials having privilege to add/delete computer members & it works fine.. computer disabled in AD.

My Question is with any account who is member of local administrator group can remove from domain putting any characters with not make computer disabled in AD. We have thousands of domain computers and even Technicians don't put the correct credentials can remove from domain and that will make mess in AD.

How to control this?
Thanks

Answer 5

Maybe something similar here will work.
https://community.spiceworks.com/scripts/show/1861-find-and-disable-or-remove-inactive-ad-computer-accounts

--please don't forget to upvote and Accept as answer if the reply is helpful--