This code i made to be able to make a cleanup task for PC’s no longer in use. This script remove computers from domain when running WinPE.
This was one of the steps that was done. Another step deleted objects in McAfee EPO and SCCM.
To be able to delete a PC within a domain from a non-domain PC you need to install ADSI on the WinPE image.
You need this in order to make it work:
1. ADSI WinPE implementation: ADSI implementation in WinPE
2. You need a user with the right privileges on the AD server. The username should be provided with the domain name like this: “domain\username”
3. IP adresse to the AD server.
<#
.SYNOPSIS
.DESCRIPTION
.PARAMETER
.EXAMPLE
.NOTES
Author: Morten Rnborg
Date: 10-09-2018
Last Updated: 03-02-2019
https://mroenborg.com
#>
################################################
function Delete-PCInAD
{
param (
[Parameter(Mandatory = $true)]
[ValidateNotNullorEmpty()]
[string]$PCName,
[Parameter(Mandatory = $true)]
[ValidateNotNullorEmpty()]
[string]$ADIPAdress,
[Parameter(Mandatory = $true)]
[ValidateNotNullorEmpty()]
[string]$UserName,
[Parameter(Mandatory = $true)]
[ValidateNotNullorEmpty()]
[string]$Password
)
try
{
$objConn = New-Object -com "ADODB.Connection"
$objCommand = New-Object -com "ADODB.Command"
$objConn.Provider = "ADsDSOObject"
$objConn.Properties.Item("User ID").Value = $UserName
$objConn.Properties.Item("Password").Value = $Password
$objConn.Properties.Item("Encrypt Password").Value = $True
$objConn.Properties.Item("ADSI Flag").Value = 1
$objConn.Open("Active Directory Provider")
$objCommand.ActiveConnection = $objConn
$objCommand.CommandText = "SELECT ADsPath FROM 'LDAP://" + $ADIPAdress + "' WHERE objectCategory='computer' AND Name='" + $PCName + "'"
$objData = $objCommand.Execute()
$objData.MoveFirst()
$objADSPath = $objData.Fields.Item("ADsPath").Value
Write-Host ("ADSpath is about to be deleted: " + $objADSPath)
$domaininfo = new-object DirectoryServices.DirectoryEntry($objADSPath, $UserName, $Password)
$searcher = New-Object System.DirectoryServices.DirectorySearcher($domaininfo)
$computer = $searcher.FindOne()
$compdel = $computer.GetDirectoryEntry()
$compdel.DeleteTree()
Write-Host ("PC:" + $PCName +" successfully deleted.")
}
catch
{
Write-Host ("Deletion of Computer object in AD failed '" + $PCName + "' failed with error: {0}" -f $Error.Exception)
}
}
Hi I would like to know how the script works it would be great if you can give a brief about it
Hi Goutham
The script makes use of ADSI to connect to a given AD server and deletes a PC object.
Is there any specific parts of the script that you want explained or do you need an example on how to use it?
/Morten
Is this only to be executed via a SCCM task sequence? When I execute this manually, it appears that it executes successful, but the machine is still on the domain.
Hi Vtex,
I just tested the deletion of a PC object in Windows, with a user who only had the necessary permissions on the specific OU and it worked fine.
One reason may be that you have more than one domain controller in your environment, and you are looking at one that haven’t synchronized the change yet.
Hello,
I tried it in a task sequence but still failed. I have outlined the lines I made the changes. Is there anywhere else I would need to make a change?
I placed the account info in the respective place holders:
$objConn.Properties.Item(“User ID”).Value = $UserName
$objConn.Properties.Item(“Password”).Value = $Password
I placed the IP of a domain controller in the “Active Directory Provider”
$objConn.Open(“Active Directory Provider”)
Hi,
I would try the script in a console in Windows at first. Copy the whole thing into an elevated PowerShell promt and call the function. An example:
Delete-PCInAD -PCName “PCObjTestDelete” -ADIPAdress “192.168.1.4” -UserName “mroenborg\mr” -Password “P@ssword”
May i ask in witch scenario you want to use this?