Uninstall-ADServiceAccount
Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer.
Syntax
Uninstall-ADServiceAccount
[-WhatIf]
[-Confirm]
[-AuthType <ADAuthType>]
[-ForceRemoveLocal]
[-Identity] <ADServiceAccount>
[<CommonParameters>] Description
The Uninstall-ADServiceAccount cmdlet removes an Active Directory standalone managed service account (MSA) on the computer on which the cmdlet is run. For group MSAs, the cmdlet removes the group MSA from the cache. However, if a service is still using the group MSA and the host has permission to retrieve the password, then a new cache entry is created. The specified MSA must be installed on the computer.
the Identity parameter specifies the Active Directory MSA to uninstall.
You can identify an MSA by its distinguished name (DN), GUID, security identifier (SID), or Security Account Manager (SAM) account name.
You can also set the parameter to an MSA object variable, such as $<localServiceAccountObject> or pass an MSA object through the pipeline to the Identity parameter.
For example, you can use the Get-ADServiceAccount cmdlet to get an MSA object and then pass that object through the pipeline to the Uninstall-ADServiceAccount cmdlet.
Examples
Example 1: Uninstall a specified MSA
PS C:\> Uninstall-ADServiceAccount -Identity SQL-SRV1This command uninstalls the MSA identified as SQL-SRV1 from the local machine.
Example 2: Uninstall an MSA from a server in a read-only domain controller site
PS C:\> Uninstall-ADServiceAccount -Identity sql-hr-01 -ForceRemoveLocalThis command uninstalls the specified standalone MSA from a server located in a read-only domain controller site such as a perimeter network.
Parameters
-AuthType
Specifies the authentication method to use. The acceptable values for this parameter are:
- Negotiate or 0
- Basic or 1
The default authentication method is Negotiate.
A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.
| Type: | ADAuthType |
| Accepted values: | Negotiate, Basic |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ForceRemoveLocal
Indicates that you can remove the account from the local security authority (LSA) if there is no access to a writable domain controller. This is required if you are uninstalling the MSA from a server that is placed in a segmented network such as a perimeter network with access only to a read-only domain controller. If you specify this parameter and the server has access to a writable domain controller, the account is also un-linked from the computer account in the directory.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Identity
Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. The acceptable values for this parameter are:
- A Distinguished Name
- A GUID (objectGUID)
- A Security Identifier (objectSid)
- A SAM Account Name (sAMAccountName)
The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get this object through the pipeline or you can set this parameter to an object instance.
| Type: | ADServiceAccount |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None or Microsoft.ActiveDirectory.Management.ADServiceAccount
A managed service account object is received by the Identity parameter. A parameter with name ForceRemoveLocal is provided to un-install standalone MSAs on a read-only domain controller site.
Outputs
None
Notes
- This cmdlet does not work with AD LDS.
- This cmdlet does not work with an Active Directory snapshot.
- This cmdlet does not work with a read-only domain controller.