Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, March 19, 2019 3:48 PM | 1 vote
Hi,
One of my costumers have their computers connected to Azure AD and want to remove them since they do not use cloud services from Microsoft.
Blocking new devices from joining is not a problem. it has already been disabled. Same thing deleting them from Azure AD no problem.
The problem is to remove the connection locally on the Windows 10 client without user interaction , using GPO or scripts.
We have tried to run dsregcmd.exe /debug /leave as system using a GPO and a scheduled task but no success. The users can still remove the account connection manually by pressing "disconnect" and the account is correctly removed.
Ant suggestions on removing around 1000 clients connections from an Administrators perspective so the users do not need to do it manually? Has anyone solved this?
All replies (7)
Wednesday, March 20, 2019 2:51 AM
Hi,
Thanks for your question.
You can try to use the following GPO settings active to deny Microsoft Accounts:
Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Block Microsoft accounts
Registry: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount\value=0
Hope it could help.
Best Regards,
Eric
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, March 20, 2019 4:23 AM
Not sure you have the access to Azure portal. but you can do it on the azure portal.
Azure Active Directory > Devices > All devices > Select Manage > Tick any devices that you intent to delete and select delete.
any deleted device will remove all computer that connected to Azure AD without user manually delete their self.
Wednesday, March 20, 2019 9:34 AM
Not sure you have the access to Azure portal. but you can do it on the azure portal.
Azure Active Directory > Devices > All devices > Select Manage > Tick any devices that you intent to delete and select delete.
any deleted device will remove all computer that connected to Azure AD without user manually delete their self.
Ty for the reply,
Removing them in Azure-portal is not the issue, as I stated in my question. I want to delete the account/accounts on the local machines, under Settings> Accounts > Access work or school > Delete, this without making the users do it manually.
Wednesday, March 20, 2019 9:39 AM
You can try to use the following GPO settings active to deny Microsoft Accounts:
Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Block Microsoft accounts
Registry: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount\value=0
Thank you for the reply.
I have tested to user this GPO setting and registry value but it does not remove the account that is already added by the user, it only blocks new accounts?
Is there any way to delete current connections/accounts?
Thursday, March 21, 2019 7:18 AM
Hi,
Thanks for your update.
I am now researching on whether it can be realized and will get back to you if I have any update. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
Best Regards,
Eric
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, March 25, 2019 5:57 AM
Hi,
I feel sorry that I have not found the solution. I suggest you to post this in AD forum for more suggestion.
Best Regards,
Eric
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 5, 2019 6:50 PM
Similar issue, but I need to be able to silently disconnect these "work or school" accounts from a "user state NOT device state perspective" on "True Kiosk" machines. Numerous users log into "SSO front" with mahcine always Windows always logged in as DefaultUser.
I just need a commandline, vb, powershell, set of reg keys files or folders , anything to delete everytime a user logs out of sso. Preferably without logging off the Windows defualtuser.
Please Help, I have about 10,000 of 30,000 devices I need to be able to manage this on.
Abraham FYI: I've noticed when I run dsregcmd.exe /status I can see the accounts listed under "User State". When I manually click disconnect from Settings\Accounts\Access work or school and run the dsregcmd.exe /status again it show it cleared out.
doesn't really work for my situation, because we actually would like user to be able to add this account info during login/logout and remove it. But you could script an export like dsregcmd.exe /status>C:\Temp\Out.txt then parse that file for the user state. There's about 7 properties of user state that"in my environment" should say no
I'm not seeing a new post in the other forum yet. Please let me know if a new one there is created to follow.