Remove computers from domain.
Phaturia last edited by Phaturia
It would be great if we could remove computers from domain with a single click on the WebUI. Or is it possible already?
@x23piracy We would need one for Linux too. On most systems, that’s a simple
realm leave -U username domainname
x23piracy last edited by x23piracy
nice script and i am thinking of a place where we can collect useful snapins that are based on script and not binary.
@Wayne-Workman maybe somewhere in the wiki?
I would also appreciate an embedded solution for this, because when i dismantle a computer (employee leaves the company) i always bring the computer/notebook back to stock, remove it from ad (manually, goto ads an remove computer account) and i deactivate our av license.
@tom-elliott So it would be really cool if we would have that option in the advanced tasks.
So my final solution was a powershell snapin.
$User = "domain\user" $PWord = ConvertTo-SecureString -String "password" -AsPlainText -Force $Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $PWord Remove-Computer -Credential $Credential -Force -PassThru -Restart -Verbose -WorkgroupName WORKGROUP
Maybe it’s not that hard to implement to the advanced task actions.
@sebastian-roth Oh yeah, edit the DB directly… Why didn’t i thinked about this!? Thanks for this detailed answer, but i still think that a snapin would be better for this.
I think I just need to switch of the domain join then apply a batch something like this:
REM This need because %hostname% isn't accesible by default FOR /F "usebackq" %%i IN (`hostname`) DO SET myHostname=%%i REM This should remove the current computer from the domain netdom remove %myHostname% /d:mydomain /ud:mydomain\admin /pd:password /force /reboot
or a powershell script with the cmdlet
Also need to delete the computers from the AD just to clear up everything.
I will post later if I succesfully made it.
@Phaturia Either do it the snapin way or just change names directly in the DB. If you are a bit familiar with MySQL commands this is a real easy oneliner. Create a group and put in all the clients you want to remove from the domain. Note down the ID of this newly created group - when editing the group you see the ID in the URL bar. Then open a terminal/shell and go ahead:
shell> mysql -u root -p ... mysql> use fog; mysql> UPDATE hosts,groupMembers SET hosts.hostName = CONCAT(hosts.hostName, '_'), hosts.hostADDomain = CONCAT(hosts.hostADDomain, '_') WHERE hosts.hostID = groupMembers.gmHostID AND groupMembers.gmGroupID = <GROUPID>;
The only thing you need to adjust is the
<GROUPID>at the end of the command. Put in the groups id as simple number, no quotes or anything. Leave that command prompt open for changing things back to normal after all the clients of this group have shut down. Then do:
mysql> UPDATE hosts,groupMembers SET hosts.hostName = SUBSTRING(hosts.hostName, 1, CHAR_LENGTH(hosts.hostName)-1), hosts.hostADDomain = SUBSTRING(hosts.hostADDomain, 1, CHAR_LENGTH(hosts.hostADDomain)-1) WHERE hosts.hostID = groupMembers.gmHostID AND groupMembers.gmGroupID = <GROUPID>;
The only issue with this I can think of is the timing. Some clients will reboot way faster than others. To workaround this you just need to set the “Menu Timeout” value in FOG Configuration -> iPXE Boot Menu to zero (no timeout). They’ll all wait on the FOG menu screen then.
Note: In case you have client names as long as the maximum allowed size (15 characters) those clients will disappear from the web UI but will still be fine because the DB allows for 16 characters. Possibly the unjoin from the domain won’t work for those clients. But when you run the second mysql command names will be changed to normal for all the clients.
Sure we could add an unjoin function to FOG but this would take a lot more than what I just described as we’d have to alter client and server code for that.
@sebastian-roth Thanks for the reply, but that’s not realy an option for me right now. I should remove 50+ computers. Give other name to them one by one, then rename back is a huge work, just for remove them from the AD. I think I going to make a snapin that remove them and i can deploy that for a whole group.
@Phaturia There is a simple trick that might work. Change the “Domain name” for this/those host(s) in the Active Directory section to any value different than the one that was set. As well change the “Host name” of this host in the General section. If the machine is on and fog-client is running it should detect that it’s hostname and domain have changed and in this case (domain not matching) the fog-client does an UNJOIN of the client, then reboots it and would then do the rename and rejoin the new domain. So when it reboots just turn it of and it should be unjoined then.
Then change back to the original hostname in the web UI and disable Active Directory settings for this host so it won’t join back into the domain again.
This is untested AFAIK. So please give it a try and let us know if it works for you.