You Cannot Delete a Demoted Domain Controller Computer Account from Active Directory

By | 2005-11-01
0 Comment

After demoting a domain controller, you cannot remove its’ computer account from Active Directory? You receive:

Error: DSA object cannot be deleted.

If you ran dcpromo to demote the domain controller, or you used ntdsutil to clean up a failed domain controller’s metadata and removed the account from Active Directory Sites and Services, you may be unable to delete the account because the UserAccountControl is set to 8192 – SERVER_TRUST_ACCOUNT.

Try changing the UserAccountControl to 4096 – WORKSTATION_TRUST_ACCOUNT:

  1. Use Start / Run / ADSIEdit.msc / OK.
  2. Expand Domain NC, expand dc=domain,dc=com, and expand ou=domain controllers.
  3. Right-click the computer name of the domain controller, and then press Properties.
  4. On the Attributes tab, select Both in the Select which properties to view box.
  5. In the Select a property to view box, select UserAccountControl.
  6. Under Attribute Value, view the value.
  7. Type 4096 in the Edit Attribute box.
  8. Press the Set button.
  9. Press Apply and OK. Exit ADSI Edit.
Active Directory
Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.