You can remove a computer from a domain without necessarily disabling or deleting the computer's account in Active Directory. If needed, you can uninstall the AD Bridge Enterprise agent from a client computer.
Leave a Domain
When a computer is removed from a domain, AD Bridge retains the settings that were made to the computer's configuration when it was joined to the domain. Changes to the nsswitch module are also preserved until you uninstall AD Bridge, at which time they are reverted.
Before leaving a domain, run the following command to view the changes that will take place:
domainjoin-cli leave --advanced --preview domainName
[root@rhel4d example]# domainjoin-cli leave --advanced --preview example.com Leaving AD Domain: EXAMPLE.COM [X] [S] ssh - configure ssh and sshd [X] [N] pam - configure pam.d/pam.conf [X] [N] nsswitch - enable/disable nsswitch module [X] [N] stop - stop daemons [X] [N] leave - disable machine account [X] [N] krb5 - configure krb5.conf [F] keytab - initialize kerberos keytab Key to flags [F]ully configured - the system is already configured for this step [S]ufficiently configured - the system meets the minimum configuration requirements for this step [N]ecessary - this step must be run or manually performed [X] - this step is enabled and will make changes [ ] - this step is disabled and will not make changes
Remove a Linux or Unix Computer from a Domain
To remove the computer, use a root account to run the following command:
Disable the Computer Account in Active Directory
By default, a computer account in Active Directory is not disabled or deleted when the computer is removed from the domain.
To disable but not delete the computer account, include the user name as part of the leave command. You will be prompted for the user account password:
/opt/pbis/bin/domainjoin-cli leave userName
Remove the Computer Account in Active Directory
To delete the computer account, use the option --deleteAccount and include the user name as part of the leave command.
You will be prompted for the password of the user account:
/opt/pbis/bin/domainjoin-cli leave --deleteAccount userName
Uninstall the Agent on a Linux or Unix Computer
You can uninstall AD Bridge Enterprise by using a shell script or by using a command.
Use a Shell Script to Uninstall
Before uninstalling the agent, you must leave the domain. Then execute the uninstall command from a directory other than pbis so that the uninstall program can delete the pbis directory and all its subdirectories. For example, execute the command from the root directory.
For more information, please see Remote SupportPrivileged Remote AccessDevOps Secrets SafePrivileged IdentityPrivilege ManagementVulnerability ManagementBeyondInsight/Password SafeAD BridgeAuditorwww.beyondtrust.combeyondtrust.comContact SalesContact Support.
If you installed the agent on a Linux or Unix computer by using the shell script, you can uninstall the AD Bridge Enterprise agent from the command line by using the same shell script with the uninstall option.
To uninstall the agent, you must use the shell script with the same version and build number that you used to install it.. For example, on a Linux computer running glibc, change directories to the location of AD Bridge Enterprise and then run the following command as root, replacing the name of the script with the version you installed:
For information about the script's options and commands, execute the following command:
Use a Command to Uninstall
To uninstall AD Bridge Enterprise by using a command, run the following command:
To completely remove all files related to AD Bridge Enterprise from your computer, run the command as follows instead. If using this command and option, you do not need to leave the domain before uninstalling.