Powershell: Remove computer from Active Directory

This is in theory easy, just import the ActiveDirectory module:

Import-Module ActiveDirectory

and then remove the computer:

Remove-ADComputer -Identity "computername"

Except that sometimes it fails with:

Remove-ADComputer : The directory service can perform the requested operation only on a leaf object
At line:1 char:1
+ Remove-ADComputer -Identity computername
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=computername,O...rcmtech,DC=co,DC=uk:ADComputer) [Remove-ADComputer], ADException
    + FullyQualifiedErrorId : The directory service can perform the requested operation only on a leaf object,Microsoft.ActiveDirectory.Management.Commands.RemoveADComputer

But yet other times it works fine. It turns out that a computer account is not always a “leaf” in Active Directory – it can be a container and have child objects within it. I’d been adding Windows Server 2012 virtual machines to my Active Directory, they were Hyper-V VMs created using System Center Virtual Machine Manager 2012 SP1 beta. The Hyper-V hosts I am using are also Server 2012.

Looking at the VMs in ADSI Edit showed that they had a “Windows Virtual Machine” object within them:

ADSI Edit
 Default naming context [dc01.rcmtech.co.uk]
  DC=internal,DC=rcmtech,DC=co,DC=uk
   OU=Servers
    CN=computername
     CN=Windows Virtual Machine

Thus the only way to delete these is to use Remove-ADObject with the -Recursive option, which deletes the object plus any child objects. Unlike Remove-ADComputer which accepts a computer name as the -Identity option, you have to pass in a computer object to Remove-ADObject:

$ComputerToDelete = Get-ADComputer -Identity "computername"
Remove-ADObject -Identity $ComputerToDelete -Recursive

Whilst we’re on the subject, I also found that Get-ADComputer seems to ignore the -ErrorAction SilentlyContinue option (which stops it putting a red error on screen during ps1 script execution). It also doesn’t behave the same way as some other cmdlets I was using when it doesn’t find a computer. Thus, the code block I’m using to look for a computer in AD and delete it if it exists, with no errors on screen if it does not exist, is as follows:

$advm = ""
try{
    $advm = Get-ADComputer -Identity $NewVMName
} catch {
    Write-Host "No existing AD account found"
}
if ($advm -ne ""){
    Write-Host "Remove existing AD account..."
    $x = Remove-ADObject -Identity $advm -Recursive
}

Not perfect, but does the job.

This entry was posted in PowerShell, Scripting, Windows and tagged , , , , , , , , . Bookmark the permalink.

6 Responses to Powershell: Remove computer from Active Directory

  1. Jake says:

    The command worked, thank you. Is there a way to run the command “Remove-ADComputer -Identity “computername”” against a list of computer names?

    • Charles Profitt says:

      You can read a list of computer names from a text file — add them to an array — then do a foreach on the array to do your deletions.

      ForEach($line in [System.IO.File]::ReadLines(“c:\computer-delete.txt”)) {
      ## add element to inventory array
      $delete += $line
      }

  2. rcmtech says:

    You could do something with an array of computer names and a foreach loop:
    $Computers = “PC1″,”PC2″,”PC3″,”PC4”
    foreach($Computer in $Computers){
    $ComputerToDelete = Get-ADComputer -Identity $Computer
    Remove-ADObject -Identity $ComputerToDelete -Recursive
    }

    • rcmtech says:

      Watch the quotes if you copy and paste from that comment, they should all be standard double speech marks, but in my browser the ones in my comment above look like they’ve been “corrected” to be opening and closing ones.

  3. rjasonmorgan says:

    Well that was really helpful. I couldn’t figure out what was going on. Have you filed a connect bug for this?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s