Share via

3.1.4 Example 4: Unjoining a Domain Member

  • Article

This example describes the process of unjoining a client computer from a domain. To unjoin from a domain, a client administrator locates a domain controller (DC) and then performs actions against the DC. This example is applicable to a client computer that is part of a domain and needs to unjoin from the domain.

This example builds on the use case described in section 2.7.7.2, Unjoin from a Domain - Domain Client.

Prerequisites

The general requirements are described in section 2.6, Assumptions and Preconditions.

The Active Directory system meets all preconditions described in section 2.7.7.2.

Initial System State

The client is joined to a domain.

Final System State

Upon successful completion of this task, the client's state variables are updated and the client is unjoined from the domain.

Sequence of Events

The following sequence diagram shows the message flow that is associated with this example.

Message flow for unjoining from a domain

Figure 45: Message flow for unjoining from a domain

 1. If the domain controller was not located earlier, the client locates a domain controller, as described in section 3.1.1.

 2. If the client receives a successful response from the domain controller, the DC is located. If the response is not successful, the task fails.

Note The initial exchange to locate a DC is representative only of the traffic between the client and the selected domain controller. This traffic might not even be present, depending on whether previous results from the Locate a Domain Controller task (section 3.1.1) have been cached. Also, additional exchanges that might occur to other domain controllers are not represented.

 3. To establish an SMB/SMB2/CIFS session to the domain controller, the domain client sends an SMB session bind request using anonymous user credentials to the domain controller ([MS-CIFS] section 3.2.4.2).

 4. Upon a successful response from domain controller, the SMB/SMB2/CIFS session is established between the domain client and the DC.

 5. By using the SMB connection that was established in the previous step, the domain client sends a SamrConnect5 request ([MS-SAMR] section 3.1.5.1.1) to the domain controller to connect to the SAM RPC server on the DC.

 6. Upon a successful response from domain controller, the domain client receives a handle to the server object from the DC.

 7. By using the server handle that was obtained in the preceding step, the domain client sends a SamrOpenDomain request ([MS-SAMR] section 3.1.5.1.5) to the domain controller to obtain a handle for a domain object.

 8. Upon a successful response, the domain controller returns a handle for a domain object.

 9. To determine the relative identifier (RID) of the account, the domain client sends a SamrLookUpNamesInDomain request ([MS-SAMR] section 3.1.5.11.2) to the domain controller.

10. Upon a successful response, the domain controller returns the RID of the existing domain client account.

11. To obtain a handle to modify user account information, the domain client sends a SamrOpenUser request ([MS-SAMR] section 3.1.5.1.9) to the domain controller.

12. Upon a successful response, the domain controller returns a handle to a user account.

13. The domain client sends a SamrQueryInformationUser request ([MS-SAMR] section 3.1.5.5.6) to the domain controller to obtain attributes from the user object.

14. Upon a successful response, the domain controller returns attributes of the user object.

15. To disable the user account in the directory, the domain client sends a SamrSetInformationUser request ([MS-SAMR] section 3.1.5.6.5) to the domain controller.

16. Upon a successful response from the domain controller, the domain client disables the user account in the directory.

17. The domain client updates its local state variables.

18. – 23. After the user account is disabled, the domain client sends SamrCloseHandle requests to the domain controller to close the handles that were opened earlier ([MS-SAMR] section 3.1.5.13.1). The client receives responses from the server for all the close-handle requests. Upon successful completion of the preceding call sequence, the domain client has successfully created or updated the client account in the domain.

24. The domain client sends an SMB session close request ([MS-CIFS] section 3.4.4.8) to the domain controller to close the SMB/SMB2/CIFS session that was established earlier.

25. Upon a successful response from the domain controller, the SMB/SMB2/CIFS session is closed.