Remove and automatically Re-add Computers from the Domain using PowerShell scripts

In this post we’re going to look at removing and then automatically re-adding a workstation from the domain using PowerShell scripts and a batch file.

(Bare in mind – the script may not be the best first step for troubleshooting a computer falling off the domain or a trust issue. ‘test-computersecurechannel -repair’ would be a better initial option)

A video demonstration without explanation can be found below. The two times you see me input keys into the command shells, I am inputting my domain admin account password.

Firstly lets create the batch file – the batch file will run the PowerShell script that joins the computer to the domain. Later on we will also make sure this runs automatically after the removal restart.

Sounds confusing? No problem, it’s much less hassle than you think and will remove the need to run more than one script.

Create a folder called ‘Scripts’ on your C drive

scripts folder

Open a fresh notepad and input the following –

@echo off
Powershell.exe -executionpolicy remotesigned -file  C:\Scripts\rejoindomain.ps1

Save this as a batch file by going to ‘Save As’ and selecting the drop down ‘All Files’

Make sure to call the batch file something convenient, you will need it for later. I am saving mine as ‘joindomain.bat’ . Make sure to save it in the ‘Scripts’ folder you created earlier –

Batch file

Now lets can create the removal PowerShell script:

As seen in my post explaining how to create a server setup PowerShell script – If you don’t want to include your admin accounts credentials inside the scripts. You can use the command below, it will require you to input the password manually when you run the script, which in turn stored your password in an encrypted .txt file at your chosen file path.

read-host -AsSecureString | convertfrom-securestring | out-file C:\mysecurestring.txt

Alternatively to avoid exporting the password to a .txt file you can use ‘$cred = new-object -typename System.Management.Automation.PSCredential’ or ‘$cred= Get-Credential’ and ignore $username,$password and the command below.

Now input the variables and the inputs you are going to need to change.

#Stop on first error {Stop|Continue}
$ErrorActionPreference = “Continue
$Domain = “Plebs.local”  #Your domain
$username = “Plebs\Administrator”  #Your admin domain account

Now for the variables you are not required to change.

$password = cat C:\mysecurestring.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Next you are going to need to include a command that edits the registry to run your batch file on the next login.  It will only run one time, making this ideal.

new-itemproperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -name “ReJoinDomain” -value “C:\scripts\joindomain.bat

Now the most important part, the command to remove the computer from the domain and force a restart.

remove-computer -credential $cred -passthru -verbose

Awesome, your removal script is completed. Save it to your ‘C:\Scripts’ path.

Script in it’s entirety –

read-host -AsSecureString | convertfrom-securestring | out-file C:\mysecurestring.txt

#Stop on first error {Stop|Continue}
$ErrorActionPreference = "Continue"

$Domain = "Plebs.local" #Your domain
$username = "Plebs\Administrator"  #Your domain admin username

$password = cat C:\mysecurestring.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

new-itemproperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -name "ReJoinDomain" -value "C:\scripts\joindomain.bat"

remove-computer -credential $cred -passthru -verbose

Lastly we need to create the script to join the computer to the domain –

We can use the removal script to speed this up. Instead of the commands that add the registry key and remove the computer from the domain. Add the command to add the computer back into the domain –

Add-Computer -ComputerName $OldCName -DomainName “$Domain” -credential $cred -force -restart

It should looks similar to this –

read-host -assecurestring | convertfrom-securestring | out-file C:\mysecurestring.txt
$ErrorActionPreference = "Stop"

$Domain = "Plebs.local"  #Your domain
$username = "Plebs\Administrator"  #Your domain admin username

$password = cat C:\mysecurestring.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Add-Computer -ComputerName $OldCName -DomainName "$Domain" -credential $cred

Remove-Item "C:\mysecurestring.txt"


Remember to save it under the same name as listed in the batch file, so in this case ‘rejoindomain.ps1’ in addition the same file path ‘C:\Scripts’.

Similar to what I explained above – you can change the $password variable and remove the need to manually input the admin account password.

Otherwise, as soon as you log in with the local account after the reboot – the command will require you to input your domain admin account credentials again.

Your ‘C:\Scripts\’ folder should now look similar to the image below –

Powershell scripts

Congratulations you are now ready!

In the event where you want to remove and re-add a computer from the domain, all you need to do is copy the scripts folder onto the computers C drive and run the your removal script. I called mine ‘leavedomain.ps1’

Summary of the action:

The removal script will take the Computer off the domain and force the joindomain.bat to run automatically after the restart (happening after you log in with the local account) and the batch file will run rejoindomain.ps1 joining the computer back up to the domain. After the second reboot, the workstation will now be on the domain and you can login with a domain account.

If you are experiencing execution errors similar to the message below –

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by
a policy defined at a more specific scope.  Due to the override, your shell will retain its current effective
execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more
information please see "Get-Help Set-ExecutionPolicy".
At line:1 char:1

Please check out my execution policies post (Coming Soon) – it will explain why the message is appearing and how to edit your PowerShell scripts, registry or domain GPOs to avoid the problem.

Otherwise this stackoverview post has a number of users explaining and resolving the issue.


Thanks for reading – feel free to follow and stay updated 🙂  View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s