Undo-ADServiceAccountMigration
Reverts the previous migration phase of a migration to an delegated managed service account. If the migration process is currently in the start phase, the accounts will be unlinked from each other. If the migration is in the completed phase, it'll return back to the state in the start phase.
Syntax
Undo-ADServiceAccountMigration
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADServiceAccount>
[-SupersededAccount <String>]
[-Server <String>]
[<CommonParameters>] Description
The Undo-ADServiceAccountMigration cmdlet will undo the previous step of the migration process of
superseding a normal user account specified by the distinguished name string provided in the
SupersededAccount parameter to the delegated managed service account provided in the
identity parameter. They must've been previously linked via the
Start-ADServiceAccountMigration cmdlet.
The Identity parameter specifies the delegated managed service account to use. You can identify a managed service account by its distinguished name, GUID, security identifier (SID), or Security Account Manager (SAM) account name.
The SupersededAccount parameter specifies the user account that's linked to the delegated managed service account. The superseded account must be identified by its distinguished name.
Examples
Example 1: Undo a service account migration phase by using the Security Account Manager name of the delegated managed service account
$params = @{
Identity = "delegatedSvc1"
SupersededAccount = "CN=User1,OU=Accounts,DC=Contoso,DC=com"
}
Undo-ADServiceAccountMigration @paramsExample 2: Undo a service account migration phase by specifying a 2025 Domain Controller
$params = @{
Identity = "delegatedSvc1"
SupersededAccount = "CN=User1,OU=Accounts,DC=Contoso,DC=com"
Server = "2025DC.Contoso.com"
}
Undo-ADServiceAccountMigration @paramsParameters
-AuthType
Specifies the authentication method to use. The acceptable values for this parameter are:
- Negotiate or 0
- Basic or 1
The default authentication method is Negotiate.
A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.
| Type: | ADAuthType |
| Accepted values: | Negotiate, Basic |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Credential
Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory module for Windows PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you
can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet
prompts for a password.
You can also create a PSCredential object by using a script or by using the Get-Credential
cmdlet. You can then set the Credential parameter to the PSCredential object.
If the acting credentials don't have directory-level permission to perform the task, Active Directory module for Windows PowerShell returns a terminating error.
| Type: | PSCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Identity
Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. The acceptable values for this parameter are:
- A distinguished name
- A GUID (objectGUID)
- A security identifier (objectSid)
- A SAM account name (sAMAccountName)
The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.
| Type: | ADServiceAccount |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Server
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Domain name values:
- Fully qualified domain name (FQDN)
- NetBIOS name
Directory server values:
- Fully qualified directory server name
- NetBIOS name
- Fully qualified directory server name and port
The default value for the Server parameter is determined by one of the following methods in the order that they are listed:
- By using Server value from objects passed through the pipeline.
- By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
- By using the domain of the computer running PowerShell.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SupersededAccount
Specifies the user account that you want to be migrated to a delegated managed service account. The account must be specified by it's distinguished name.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
A delegated managed service account object is received by the Identity parameter.
Notes
- This cmdlet doesn't work with AD LDS.
- This cmdlet doesn't work with an Active Directory snapshot.
- This cmdlet doesn't work with a read-only domain controller.
- This cmdlet requires that you create a Microsoft Group Key Distribution Service (GKDS) root key first to begin using group managed service accounts in your Active Directory deployment. For more information on how to create the GKDS root key using Windows PowerShell, see Create the Key Distribution Services KDS Root Key.
Related Links
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for