You cannot delete a demoted domain controllers computer account from Active Directory

Posted On 2005-11-1 by FortyPoundHead
Keywords: Delete Domain Controller DC AD Active Directory
Tags: Active Directory 
Views: 3309

After demoting a domain controller, you cannot remove its' computer account from Active Directory? You receive:

Error: DSA object cannot be deleted.

If you ran dcpromo to demote the domain controller, or you used ntdsutil to clean up a failed domain controller's metadata and removed the account from Active Directory Sites and Services, you may be unable to delete the account because the UserAccountControl is set to 8192 - SERVER_TRUST_ACCOUNT.

Try changing the UserAccountControl to 4096 - WORKSTATION_TRUST_ACCOUNT:

Use Start / Run / ADSIEdit.msc / OK.
Expand Domain NC, expand dc=domain,dc=com, and expand ou=domain controllers.
Right-click the computer name of the domain controller, and then press Properties.
On the Attributes tab, select Both in the Select which properties to view box.
In the Select a property to view box, select UserAccountControl.
Under Attribute Value, view the value.
Type 4096 in the Edit Attribute box.
Press the Set button.
Press Apply and OK. Exit ADSI Edit.

About the Author

FortyPoundHead has posted a total of 1974 articles.

Comments On This Post

No comments on this post yet!

Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.

Your IP address is:

Before you can post, you need to prove you are human. If you log in, this test goes away.

Code Links