Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-33865: Forcing adleave (adleave -f) Leaves Excess Data in Active Directory

Authentication Service ,  

15 May,20 at 06:22 PM

What is the impact of forcing an adleave to remove a computer from the domain?
# adleave -f

The adleave -f command is intended to be used when a machine is physically disconnected from the domain and/or cannot reach any Domain Controller through the network .

When a computer is joined to the domain, local system files are changed and several objects are created in Active Directory. When adleave is executed, local files are changed again to clear out data such as pam stack entries and nsswitch.conf or methods.cfg information. Active Directory credentials are provided that allow for the AD objects to be deleted.  When adleave is run with -f, the local machine data is removed, but the data in AD remains.  While this data is not harmful to AD, it is considered best practice to delete the excess objects when running  adleave.  The -f (force) option should only be used when the machine is unable to reach any Domain Controller.

In addition, the Centrify license used by that machine is also stored in AD.  The forced adleave, does not allow the license to be freed up to be used on another machine.  This impacts the deployment report that is sent to Centrify.  In this case, the deployment report may show there are more licenses in use than are actually being used.