Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-5071: Unjoining domain leaves computer object in AD

Mac & PC Management Service ,  

21 January,15 at 05:30 PM

Applies to:  Centrify DirectControl on Mac OS X


When unjoining a Mac from the domain, the computer object for the Mac remains in AD.  How can I leave a domain and also have the computer object removed?


You can have a Mac leave the domain by navigating to System Preferences > Centrify > AD Join Assistant.  Using this method will remove the Mac from the domain, however, the default behavior is to have the computer object for the Mac in AD to remain but to be disabled.  To leave the domain and have the computer object removed, you can use the adleave command with the -r option.

1.  Login to a Mac as a local admin, and open the Terminal app.
2.  Enter the command: sudo adleave -r
3.  You will be prompted for the localadmin password to run this command.
4.  You will then be prompted for a domain administrator password to leave the domain.
5.  Once command completes executing, confirm the Mac's computer object is no longer present in AD.

- On the Mac, Centrify must be in connected mode.  If not in connected mode, the Mac will not be able to communicate to the domain controller.  Thus, you will not have the option to have the computer object in AD disabled or removed.
- If you choose to force leave the domain, the computer object will remain unchanged in AD.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.