One of my clients recently requested that we remove a computer from a domain. In my years of managing IT infrastructure, I’ve found that removing computers from a domain is easy using PowerShell.
In this tutorial, I will explain how to remove a computer from a domain using PowerShell. There are various methods to do so. Let us check one by one.
Method 1 – Using the Remove-Computer Cmdlet (Local Machine)
The simplest way to remove a computer from a domain is using the Remove-Computer cmdlet directly on the local machine. This is the most used approach when you have physical access to the computer.
Here are the steps to remove a computer from a domain using this method:
- Open PowerShell as Administrator (right-click on PowerShell and select “Run as Administrator”)
- Run the following command:
Remove-Computer -WorkgroupName "WORKGROUP" -Force -RestartThe -WorkgroupName parameter specifies the workgroup that the computer will join after being removed from the domain. “WORKGROUP” is the default name, but you can change it to any name you prefer.
The -Force parameter ensures the command executes without prompting for confirmation.
The -Restart parameter automatically restarts the computer after removal, which is necessary for the changes to take effect.
If you need to provide domain credentials during this process, you can use the following command:
Remove-Computer -WorkgroupName "WORKGROUP" -Credential (Get-Credential) -Force -RestartWhen prompted, enter the domain admin credentials to authorize the removal.
Check out Add a Computer to a Domain Using PowerShell
Method 2 – Using Remove-Computer with Remote Computers
Often, I need to remove multiple computers from a domain without physically accessing each machine. PowerShell makes this easy with remote execution capabilities.
To remove a remote computer from a domain:
$cred = Get-Credential
Invoke-Command -ComputerName "ComputerName" -Credential $cred -ScriptBlock {
Remove-Computer -WorkgroupName "WORKGROUP" -Force -Restart
}Replace “ComputerName” with the name of the remote computer you want to remove from the domain.
To remove multiple computers at once, you can use an array of computer names:
$computers = @("Computer1", "Computer2", "Computer3")
$cred = Get-Credential
foreach ($computer in $computers) {
Invoke-Command -ComputerName $computer -Credential $cred -ScriptBlock {
Remove-Computer -WorkgroupName "WORKGROUP" -Force -Restart
}
}This method is especially useful when managing a large IT environment, such as a corporate office in New York with hundreds of workstations.
Read Set the Default Printer Using PowerShell in Windows
Method 3 – Using WMI/CIM for Older Systems
For older systems running Windows 7 or Windows Server 2008 R2 where the Remove-Computer cmdlet might not be available, you can use Windows Management Instrumentation (WMI) or Common Information Model (CIM) commands.
Here’s how to do it:
$computer = $env:COMPUTERNAME
$workgroup = "WORKGROUP"
$wmi = Get-WmiObject -Class "Win32_ComputerSystem" -ComputerName $computer
$result = $wmi.UnjoinDomainOrWorkgroup($null, $null, 0)
if ($result.ReturnValue -eq 0) {
$joinResult = $wmi.JoinDomainOrWorkgroup($workgroup)
if ($joinResult.ReturnValue -eq 0) {
Write-Host "Successfully removed from domain and joined workgroup $workgroup"
Restart-Computer -Force
}
}This method provides more granular control over the unjoin process and can work in environments where newer PowerShell modules aren’t available.
I just added this method, assuming a few organizations are still using older versions.
Check out Set Password Never Expires for Local User Using PowerShell
Method 4 – Using Active Directory Module (For Domain Admins)
As a domain administrator, you might want to remove a computer account from Active Directory without touching the client machine. This is useful for cleanup operations when the physical machine is no longer accessible.
To do this:
- Install the Active Directory module if you haven’t already:
Install-WindowsFeature RSAT-AD-PowerShell- Remove the computer account from AD:
Import-Module ActiveDirectory
Remove-ADComputer -Identity "ComputerName" -Confirm:$falseReplace “ComputerName” with the name of the computer account you want to remove from AD.
This doesn’t affect the client machine’s domain membership status, but it removes the computer object from Active Directory. The client would need to be manually joined to a workgroup if it’s still operational.
Read Set Password for Local User in Windows 11 Using PowerShell
Method 5 – Using Group Policy to Automate Domain Removal
For large-scale operations, such as a domain migration for a company with offices across the United States, you might want to automate the process through Group Policy.
Create a PowerShell script:
$workgroup = "WORKGROUP"
Remove-Computer -WorkgroupName $workgroup -ForceSave this as RemoveFromDomain.ps1 and use Group Policy to deploy it as a startup script to the target computers. You’ll need to configure the GPO to run with the appropriate credentials.
This method allows for a controlled, scheduled removal of computers from the domain, which can be essential during major infrastructure changes.
Check out Set the Time Zone Using PowerShell in Windows
Troubleshooting Common Issues
When removing computers from a domain, several issues can arise; and you can follow the solution I have mentioned below:
1. Insufficient Permissions
If you encounter access denied errors, ensure you’re using an account with sufficient privileges:
$cred = Get-Credential # Enter domain admin credentials
Remove-Computer -WorkgroupName "WORKGROUP" -Credential $cred -Force -Restart2. Network Connectivity Issues
Domain removal requires connectivity to a domain controller. To verify connectivity:
Test-Connection -ComputerName (Get-ADDomainController -Discover).HostName -Count 13. Cached Credentials
After removing a computer from a domain, users might face login issues due to cached credentials. Clear the credential cache with:
rundll32.exe keymgr.dll, KRShowKeyMgrThen, manually remove the stored credentials from the Windows Credential Manager.
I’ve found these troubleshooting steps essential when implementing domain changes in enterprise environments, particularly in larger organizations with complex authentication requirements.
Check out Get Default Browser Using PowerShell
Best Practices for Domain Removal
Based on my experience managing domain transitions for various organizations, here are some best practices to follow:
- Backup user profiles before removing computers from the domain to prevent data loss
- Document all computer names and their status during the removal process
- Schedule removals during off-hours to minimize disruption to users
- Have a rollback plan in case you need to rejoin the computers to the domain
- Test the process with a small group of computers before implementing it widely
I hope you found this tutorial helpful. I have explained various methods to remove computers from a domain using PowerShell. If you have any questions or suggestions, feel free to drop them in the comments below.
Other tutorials you may also like:
- How to Update PowerShell on Windows 11?
- Windows Terminal vs PowerShell
- Check for Windows Updates Using PowerShell
Bijay Kumar is an esteemed author and the mind behind PowerShellFAQs.com, where he shares his extensive knowledge and expertise in PowerShell, with a particular focus on SharePoint projects. Recognized for his contributions to the tech community, Bijay has been honored with the prestigious Microsoft MVP award. With over 15 years of experience in the software industry, he has a rich professional background, having worked with industry giants such as HP and TCS. His insights and guidance have made him a respected figure in the world of software development and administration. Read more.
