Leaving and rejoining a Windows computer to an Active Directory (AD) domain is a common troubleshooting step, but it can lead to major headaches if not done correctly, especially in a modern hybrid environment. A common pitfall is being locked out of the machine, unable to log in with a local account because the device is still partially tied to a cloud identity like Azure AD (Microsoft Entra ID).

This guide will walk you through the proper way to leave and rejoin a domain, and how to recover if you find yourself locked out.

The “Right Way” to Leave a Domain

To avoid problems, you should always ensure you have a working local administrator account before you leave the domain.

  1. Enable the Local Administrator: Open PowerShell as an Administrator and run: 
    net user Administrator /active:yes
net user Administrator "YourStrongPassword"
  2. Log in as the Local Administrator: Sign out and log back in as .\Administrator to ensure the account works.
  3. Properly Leave the Domain: While logged in as the local administrator, use the Remove-Computer cmdlet. 
    Remove-Computer -UnjoinDomain -Credential (Get-Credential) -Restart
    This will cleanly disjoin the machine from the domain and restart it.

The Problem: Locked Out After Leaving a Domain

If you’ve already left the domain and now can’t log in with a local account, it’s likely because the machine was Hybrid Azure AD Joined. The Windows login screen is still trying to use a cloud identity, effectively hiding the local username/password fields.

You can confirm this if you see AzureAdJoined : YES when running dsregcmd /status from a command prompt.

The Solution: A Step-by-Step Recovery Guide

If you are locked out, follow these steps to regain control and cleanly rejoin the domain.

Step 1: Gain Local Admin Access

Your first challenge is to get an administrative command prompt to enable the local administrator account.

  1. Boot into Advanced Startup: At the login screen, hold down the Shift key and click Power → Restart. This will reboot the machine into the “Choose an option” screen.
  2. Navigate to the Command Prompt: Go to Troubleshoot → Advanced options → Command Prompt.
  3. Activate the Administrator Account: In the command prompt, run the following commands to activate the built-in administrator and set a password. 
    net user Administrator /active:yes
net user Administrator YourStrongPassword
  4. Restart and Log In: Close the command prompt and restart the computer. At the login screen, you should now be able to select “Other user” and sign in with:
    • Username: .\Administrator
    • Password: YourStrongPassword

You now have local administrative control of the machine.

Step 2: Clean Up the Old Identity

Before rejoining the domain, it’s crucial to remove any lingering identities to prevent conflicts.

  1. Leave the Cloud Domain (if applicable): Open PowerShell as an Administrator and run: 
    dsregcmd /leave
  2. Rename the Computer: It’s a best practice to rename the computer to avoid conflicts with stale DNS records or computer objects in Active Directory. 
    Rename-Computer -NewName "NEW-PC-NAME" -Restart

Step 3: Rejoin the Active Directory Domain

After the computer restarts, log in again as the local Administrator (.\Administrator). You can now cleanly join the domain.

Add-Computer -DomainName "mydomain.com" -Credential (Get-Credential) -Restart

When prompted, enter the credentials of a domain user with permission to join computers to the domain.

Conclusion

Rejoining a computer to an Active Directory domain can be a smooth process if done correctly.

Related Reading: If you are experiencing issues where the computer is still reachable on the network after leaving the domain, check out our guide on Stale Computer Identities in AD & Azure AD.

  • Proactively: Always ensure you have a working local administrator account before leaving a domain.
  • Reactively: If you get locked out, use the Advanced Startup options to enable the built-in administrator account and regain control.
  • Best Practice: Always rename the computer before rejoining to prevent conflicts.

By following these steps, you can avoid the common pitfalls of domain rejoining and ensure a clean, successful connection to your Active Directory environment.