How to Disjoin a Computer from a Domain in a Batch Script

Disjoining a computer from an Active Directory domain is a significant administrative action, typically performed when decommissioning a machine, moving it to a different network, or converting it to a standalone workgroup computer. While this is often done through the graphical System Properties window, it can be fully automated from a batch script using the netdom.exe command-line utility.

This guide will teach you how to use the netdom remove command to cleanly disjoin a computer from a domain. You will learn the necessary syntax, the critical importance of providing local administrator credentials, and the fact that this operation will always require a reboot.

danger

CRITICAL WARNING: Removing a computer from a domain is a major network identity change. It will sever the machine's trusted relationship with the domain. Domain user accounts will no longer be able to log in to this machine. You must have a local administrator account and its password to log back in after the operation. This script must be run with full administrator privileges.

The Core Command: `netdom remove`

The netdom.exe command is the standard, built-in tool for managing a computer's membership in an Active Directory domain. The remove subcommand is used to unjoin a machine from its current domain.

The Syntax: netdom remove [ComputerName] /Domain:DomainName /UserD:DomainAdmin /PasswordD:AdminPassword

[ComputerName]: The name of the computer to remove. If omitted, it defaults to the local machine.
/Domain:DomainName: This is optional but recommended for clarity.
/UserD:DomainAdmin: The Domain user account that has permissions to remove a computer from the domain.
/PasswordD:AdminPassword: The password for the domain admin account.

The Essential Prerequisite: Local Administrator Credentials

After a computer is disjoined from a domain, you will not be able to log in with any domain accounts. Before you run this command, you must know the username and password for a local administrator account on the machine. Without it, you could be locked out of the computer after it reboots.

Basic Example: Disjoining from a Domain

This script removes the local computer from the corp.example.com domain. It will force a reboot upon completion.

@ECHO OFF
REM This script MUST be run as an Administrator.

SET "DomainAdmin=DomainJoiner"
SET "AdminPass=S3cureP@ss!"

ECHO --- Disjoining from Domain ---
ECHO WARNING: This will remove the computer from the domain and force a reboot.
ECHO Ensure you have a local administrator password.
ECHO.
PAUSE
ECHO.

ECHO Removing this computer from the domain...
netdom remove /UserD:%DomainAdmin% /PasswordD:%AdminPass% /force

IF %ERRORLEVEL% EQU 0 (
    ECHO [SUCCESS] The computer has been disjoined from the domain. The system will now reboot.
) ELSE (
    ECHO [FAILURE] An error occurred. Errorlevel: %ERRORLEVEL%
)

note

The /force switch is used here to prevent the command from prompting, making it suitable for a script.

Key `netdom` Parameters Explained

remove: The primary command to disjoin a machine.
/Domain:<DomainName>: Specifies the domain to leave. netdom can usually figure this out, but it's good practice to be explicit.
/UserD:<user>: The Domain user with permissions to perform the action.
/PasswordD:<password>: The password for the /UserD. You can use * to be prompted for the password securely.
/UserO:<user>: The Object's (computer's) local user account with admin rights.
/PasswordO:<password>: The password for the local admin account.
/Reboot:<seconds>: Specifies a time delay for the automatic reboot. The default is to reboot after about 30 seconds.
/Force: Prevents interactive prompts, making the command suitable for scripts.

Example of A More Secure and Explicit Command

This version is more robust because it specifies the credentials of both the domain admin (to authorize the removal) and the local admin (to manage the machine-side changes).

netdom remove /UserD:DomainAdmin /PasswordD:* /UserO:LocalAdmin /PasswordO:* /Reboot:60

This will prompt for both passwords securely.

Common Pitfalls and How to Solve Them

Not Running as Administrator: netdom is a high-level administrative tool. It will fail with an access denied error if not run from an elevated command prompt. Solution: Always run the script as an Administrator.
Insufficient Domain Privileges: The account specified in /UserD must have the "Remove computer from domain" privilege in Active Directory. A standard domain user cannot perform this action. Solution: Use a dedicated service account or the credentials of a Domain Admin.
Forgetting Local Admin Password: This is the biggest potential disaster. If you disjoin a machine and don't know a local admin password, you may be permanently locked out. Solution: Before running the script, enable the built-in Administrator account (net user administrator /active:yes) and set a known password (net user administrator NewPassword).
Automatic Reboot: A reboot is not optional; it is required to complete the disjoin process. The /Reboot switch only controls the delay. Solution: Ensure any running tasks are saved before executing the script.

Practical Example: A Reusable "Disjoin" Script

This script provides a more user-friendly and reusable template. It prompts for the necessary credentials securely and includes clear warnings.

@ECHO OFF
SETLOCAL
REM This script must be run as an Administrator.

ECHO --- Domain Disjoin Utility ---
ECHO.
ECHO This script will remove this computer from its Active Directory domain.
ECHO This is a high-risk operation that will force a reboot.
ECHO.
ECHO YOU MUST have the password for a LOCAL Administrator account.
ECHO ===================================================================
ECHO.
PAUSE
ECHO.

SET /P "DomainAdmin=Enter your Domain Admin username: "

ECHO.
ECHO Removing computer '%COMPUTERNAME%' from the domain.
ECHO You will be prompted for the Domain Admin password.
ECHO.

REM Use '*' to prompt for the password securely.
netdom remove /UserD:%DomainAdmin% /PasswordD:* /Reboot:60

IF %ERRORLEVEL% EQU 0 (
    ECHO [SUCCESS] Disjoin command accepted. The system will reboot in 60 seconds.
) ELSE (
    ECHO [FAILURE] The command failed. Errorlevel: %ERRORLEVEL%
    ECHO Common causes: Incorrect password, insufficient permissions, or not running as Admin.
    PAUSE
)

ENDLOCAL

Conclusion

The netdom remove command is the authoritative tool for programmatically disjoining a computer from a domain. While powerful, it must be used with extreme caution due to the significant changes it makes to the system's identity and accessibility.

For a successful and safe operation:

Always run your script as an Administrator.
Ensure you have a known local administrator password before you begin.
Use the netdom remove command with appropriate credentials (/UserD, /PasswordD).
Be aware that a reboot is mandatory and will happen automatically.

The Core Command: netdom remove​

The Essential Prerequisite: Local Administrator Credentials​

Basic Example: Disjoining from a Domain​

Key netdom Parameters Explained​

Example of A More Secure and Explicit Command​

Common Pitfalls and How to Solve Them​

Practical Example: A Reusable "Disjoin" Script​

Conclusion​

Table of Contents