2.7.7.2 Unjoin from the Domain - Domain Client

In this use case, a client administrator wants to unjoin a domain client from the domain that it is currently part of, usually to repurpose or decommission the client computer.

Goal

Unjoin a domain client from the domain.

Context of Use

The domain-client administrator invokes this task to enable the domain client to unjoin from the domain so that the members of the domain do not access its resources.

Use case diagram to unjoin a domain client from the domain

Figure 39: Use case diagram to unjoin a domain client from the domain

Actors

  • Domain client

    The domain client is the primary actor. It is the entity that locates and connects to the domain controller and unjoins from the domain. If the unjoin task fails, the local state of the domain client is unchanged.

  • Domain controller

    The domain controller is the supporting actor that advertises its capabilities, responds to domain-unjoin inquiries, and services the request from the domain client to disable the domain account.

Stakeholders

  • Client administrator

    The client administrator initiates the domain-unjoin process on the domain client.

    The primary interest of the client administrator is that the state of the computer object on the domain controller is updated to reflect that the domain client has unjoined from the domain.

  • Client computer

    The client computer is the computer on which the domain client runs before the domain-unjoin task is initiated.

    The primary interest of the client computer is that the machine local state of the domain client is updated to reflect that the client has unjoined from the domain.

Preconditions

  • The client computer has successfully completed the domain join task, as described in preceding sections, and is still part of the domain.

Main Success Scenario

  1. Trigger: The client administrator triggers this use case to unjoin the client computer from the domain.

  2. The domain client uses the Locate a Domain Controller use case to locate a domain controller. For more information, see section 2.7.7.3.1.

  3. The domain client uses the credentials of the domain administrator to establish an SMB/CIFS connection to the domain controller ([MS-SMB2], [MS-SMB], or [MS-CIFS]).

  4. The domain client uses the SAMR protocol to disable the machine account on the domain controller [MS-SAMR].

  5. The (former) domain client updates its local state.

  6. The (former) domain client closes connections.

  7. The (former) domain client reinitializes local protocols.

Postcondition

The domain client is no longer joined to the domain.

Extensions

None.

Show: