Hey everyone! I'm having a bit of a tough time with a computer that was accidentally removed from Active Directory (AD). The local admin password was changed through LAPS, so I can't log in and there's no domain admin saved on the machine either. Fortunately, I have Ivanti's agent installed, which allows me to push PowerShell scripts to run as system. I tried a simple "Add-Computer" script, but it didn't seem to work—I'm wondering if it's because the computer thinks it's still in the domain, as it was just removed from the DC.
Before I ran out of time, I was planning to run a script to remove the computer from the local domain first, then re-run the script to add it back. It would also be helpful to log the errors to a file so I can troubleshoot better next time. Has anyone here dealt with something similar? Here's the basic script I've been using:
```powershell
$domain = "**corp.example.com**"
$username = "**AdminUser**"
$password = "**SecurePassword**"
$cred = New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString $password -AsPlainText -Force))
Add-Computer -DomainName $domain -Credential $cred
```
Any advice would be appreciated!
4 Answers
You could use a password reset tool that you boot from a USB or CD. Alternatively, if you're using a modern Windows Server OS, the AD Recycle Bin should have the deleted object so you can easily restore it. This is a good way to avoid overkill solutions like full backups just to fix a single computer.
If your Ivanti agent has local admin rights, you might want to try setting the local administrator account password directly from the command line. Once you have that sorted, log in with the new password and delete the computer object from Active Directory Users and Computers (ADUC) on a domain controller. After about 20 minutes, you should be able to rejoin the computer to the domain from the control panel.
Have you checked if you have Deleted Items enabled in your Active Directory Administrative Center (ADAC)? If so, restoring the deleted computer object directly from there could be a quick fix. It usually restores trust, so you can log back in and apply any necessary Group Policies.
You could consider retrieving the password that LAPS set. If LAPS rotated the password, you should be able to pull the new one from AD and log in to the local account. I suggest getting a physical hold on the PC instead of just relying on scripts. Also, try wrapping your `Add-Computer` command in a try-catch block to get better error logging.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures