How to use the adleave command to leave a domain and have the computer object removed from AD.
Applies to: Centrify DirectControl on Mac OS X
When unjoining a Mac from the domain, the computer object for the Mac remains in AD. How can I leave a domain and also have the computer object removed?
You can have a Mac leave the domain by navigating to System Preferences > Centrify > AD Join Assistant. Using this method will remove the Mac from the domain, however, the default behavior is to have the computer object for the Mac in AD to remain but to be disabled. To leave the domain and have the computer object removed, you can use the adleave command with the -r option.
1. Login to a Mac as a local admin, and open the Terminal app. 2. Enter the command: sudo adleave -r 3. You will be prompted for the localadmin password to run this command. 4. You will then be prompted for a domain administrator password to leave the domain. 5. Once command completes executing, confirm the Mac's computer object is no longer present in AD.
Note: - On the Mac, Centrify must be in connected mode. If not in connected mode, the Mac will not be able to communicate to the domain controller. Thus, you will not have the option to have the computer object in AD disabled or removed. - If you choose to force leave the domain, the computer object will remain unchanged in AD.