Active directory rename computer that has been disconnected

active-directory domain windows
10,067

Solution 1

You cover a number of points here, I shall try to address each of them in turn.

Is it ok to delete the computer called USER from active directory?

It depends. If the old computer has gone, never to return, then probably. Bear in mind that once you delete it (or any object in AD) then you cannot get it back just by recreating a new object with the same name. Each object has a unique security identifier (SID) associated with it and it is this SID that is used when assigning permissions on ACLs, group memberships, etc. Just because a replacement object has the same name does not mean it will inherit the same permissions.

That said, for a standard domain joined workstation it's likely to have minimal impact. I would be more worried if this were a user or group object.

Dangling references

If you have referenced the old computer account in any ACLs, groups, etc. then once it has been deleted you will find that these references just refer to the SID and not the original computer name. If you come across any references that show a SID only then it it likely this is the cause (although not the only reason, so be warned!)

Renaming of computer accounts

You cannot rename a computer account directly from the Active Directory Users & Computers snap-in. The correct method of renaming a computer account is to do this client side. You should be logged in to the client with a user account that has full access to modify the computer object in AD (e.g. a domain administrator or alternate account that has been delegated the relevant privileges).

If you attempt to rename the object directly from within Active Directory then you will encounter trust relationship issues when you next try and use the computer.

Best practice

This part is just my opinion, others may well have a different one.

I would never name a computer object with a name that is tied to a person (e.g. John Smith shouldn't have a computer named johnsPC). Instead come up with a sensible asset naming convention that you can use throughout your organisation (e.g. corppc123). Then when a computer asset is retired and replaced you don't have to worry about renaming the new object to be the same as the old; you simply replace it and move on.

However you go about naming and replacing your computers you need to ensure you keep items such as group memberships up to date (e.g. WSUS groups, SCCM groups, etc.). Also consider any scripts you have that reference computers by name, these will need updating (or better yet, changed so that they don't refer directly to PC objects). That's going somewhat beyond the scope of this question however!

Solution 2

Just delete the old computer object.

Solution 3

If the old computer is not anymore in use and has no more reason to be linked with AD, you can safely destroy the old computer object. I do that several times per year and never had any issue.

Share:
10,067
Adam
Author by

Adam

Updated on September 18, 2022

Comments

  • Adam
    Adam over 1 year

    We named a new computer on the domain USER-2014. The computer was for someone who already had a computer on the domain called USER. We discontinued the old computer with name USER and are now looking to rename USER-2014 back to USER. When I attempt to rename I get a message "The following error occurred attempting to rename the computer to 'USER': The account already exists." Which makes sense since there is a computer in active directory called USER.

    Is it ok to delete the computer called USER from active directory? I assume that would then allow me to rename USER-2014 back to USER. I'm worried that something in the Windows ecosystem is still referencing it and by deleting it there will be a dangling reference somewhere that will cause issues. If I could rename USER to USER-OLD that could also resolve my issue but I can't find a rename function in active directory.

    What's a best practice here or a reasonable suggestion? Anything would be greatly appreciated. I'm pretty new to network administration.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Installing software using local account Vs Active Directory login
Difference between http://connect and manually joining domain?
Re-joining a computer to domain
How can I find out which user groups my domain user belongs to?
Windows Active Directory Login Issue
Allow a domain user access to administrative shares on some PCs
"The user's password must be changed before logging on the first time" when using a file server
Moving a Domain from a forest into a new forest of its own
Authenticate client against specific Domain Controller
trust relationship between this workstation and the primary domain failed