| Event Information | According to Microsoft :
Cause :
This event is logged when the error occurred when trying to remove the account from the group.
Resolution :
Remove the member account from the group manually
The Security Accounts Manager (SAM) could not remove the specified account from the specified group. The group name and the account name are specified in the Event Viewer event text. To resolve this issue, remove the account from the group. Perform the following procedure using a domain member computer hat has domain administrative tools installed.
To perform this procedure, you must have membership in Domain Admins or you must have been delegated the appropriate authority.
To remove an account from a group:- Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the console tree, right-click the object that represents your domain, and then click Find. The Find Users, Contacts, and Groups dialog box opens.
- In Name, type the name of the account that is specified in the event text that should be removed from the group.
- Click Find Now. The group appears in Search results.
- Right-click the account, and then click Properties.
- On the Member Of tab, you see the group from which this account should be removed. Ensure that the group to be removed is not shown as the Primary group:
- If the group is shown as the Primary group, select another group, and then click Set Primary Group.
- If there is no other group listed in Member of, first click Add, enter the name of an appropriate group for this account's primary group membership, and then click OK. Next, select that group, and then click Set Primary Group.
- Select the group from which the account is to be removed, and then click Remove.
- Click Yes to confirm the removal of the account from this group.
Verify :
To ensure that the domain controller demotion was successful, verify that the Active Directory database files were removed and that the computer account is no longer in the Domain Controllers organizational unit (OU) or in the Domain Controllers group in Active Directory Users and Computers. Perform the following procedures using a domain member computer that has domain administrative tools installed.
To perform these procedures, you must have membership in Domain Admins or you must have been delegated the appropriate authority.
Verify that the Active Directory database files were removed
To verify that the Active Directory database files were removed:- Open a command prompt as an administrator. To open a command prompt as administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- At the command prompt, type cd /d %windir%\ntds, and then press ENTER. (If you installed Active Directory to a nondefault folder when you installed this domain controller, substitute that folder name and path for %windir%\ntds). If the result of this command is File not found, the files were deleted successfully.
Verify that the computer account is no longer in the Domain Controllers OU or the Domain Controllers group
To verify that the computer account is no longer in the Domain Controllers OU or the Domain Controllers group:- Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.
- Expand the domain object, if necessary, and then click the Domain Controllers OU. If the computer account is not in this container, the removal of the computer account from the OU was successful.
- Right-click the domain object, and then click Find.
- In Name, type Domain Controllers, and then click Find Now. The Domain Controllers group appears in Search results.
- Right-click the Domain Controllers group, and then click Properties.
- On the Members tab, ensure that the computer account is not listed.
|