question

windows0583-8703 avatar image
0 Votes"
windows0583-8703 asked ClementBETACORNE commented

remove computer from domain

Hello,

I am trying to remove computers from the domain with a powershell script that automates the entire process.
I will be using the Local Admin. credentials to remove the devices from the domain so users don't have to type in anything.
I have encrypted the password with the following commands:

Creating a Secure Password
$userPassword = read-host -AsSecureString
$stringObject = ConvertFrom-SecureString $userPassword
$stringObject | Set-Content -Path "C:...path"

Removing from the Domain
$userName = '.\LocalAdminUserName'
$pw = Get-Content "C:\path to $stringObjectPassword"
$securePW = $pw | ConvertTo-SecureString -AsPlainText -Force
$plainCred = New-Object System.Management.automation.pscredential -ArgumentList ($userName, $securePW)
Remove-Computer -UnjoinDomainCredential $plainCred -PassThru -Restart -Force -WorkgroupName 'WORKGROUP'

I keep getting this error that doesn't make sense:

Remove-Computer : Failed to unjoin computer 'Computer Name' from domain 'Domain Name' with the following error message:
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Can someone help?



windows-server-powershell
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered ClementBETACORNE commented

Hello,

I've tested your script and I got the same issue, so I modified your script
Below the script modified

 $userPassword = Read-Host -AsSecureString
 $stringObject = ConvertFrom-SecureString $userPassword
 $stringObject | Set-Content -Path <yourpath>
    
 $userName = <yourusername>
 $pw = Get-Content <yourpath>
 $securePW = ConvertTo-SecureString -String $pw
 $plainCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($userName, $securePW)
 Remove-Computer -UnjoinDomainCredential $plainCred -PassThru -Force -WorkgroupName "WORKGROUP"

The error message was different, it was access denied, so I've tried with a domain account instead of a local account and it worked.
I suppose this command works only with a domain account because this cmdlet try to disable the computer account in Active Directory and a local user does not have the right to do it.
If you want to automate the process you should create a service account with the local admin right on your computers and rights on the computer objects in your Active Directory

Best Regards,

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

windows0583-8703 avatar image windows0583-8703 ·

THANK YOU SO MUCH!!! YOUR MODIFICATION WORKED.
But why did you add the String parameter to ConvertTo-SecureSTring?

0 Votes 0 ·
ClementBETACORNE avatar image ClementBETACORNE windows0583-8703 ·

Because the pwd | ConvertTo-SecureString does not give you the content of the file but the variable type instead

0 Votes 0 ·