Uninstall-ADServiceAccount

Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer.

Syntax

Uninstall-ADServiceAccount
         [-WhatIf]
         [-Confirm]
         [-AuthType <ADAuthType>]
         [-ForceRemoveLocal]
         [-Identity] <ADServiceAccount>
         [<CommonParameters>]

Description

The Uninstall-ADServiceAccount cmdlet removes an Active Directory standalone managed service account (MSA) on the computer on which the cmdlet is run. For group MSAs, the cmdlet removes the group MSA from the cache. However, if a service is still using the group MSA and the host has permission to retrieve the password, then a new cache entry is created. The specified MSA must be installed on the computer.

the Identity parameter specifies the Active Directory MSA to uninstall. You can identify an MSA by its distinguished name (DN), GUID, security identifier (SID), or Security Account Manager (SAM) account name. You can also set the parameter to an MSA object variable, such as $<localServiceAccountObject> or pass an MSA object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to get an MSA object and then pass that object through the pipeline to the Uninstall-ADServiceAccount cmdlet.

Examples

Example 1: Uninstall a specified MSA

PS C:\> Uninstall-ADServiceAccount -Identity SQL-SRV1

This command uninstalls the MSA identified as SQL-SRV1 from the local machine.

Example 2: Uninstall an MSA from a server in a read-only domain controller site

PS C:\> Uninstall-ADServiceAccount -Identity sql-hr-01 -ForceRemoveLocal

This command uninstalls the specified standalone MSA from a server located in a read-only domain controller site such as a perimeter network.

Parameters

-AuthType

Specifies the authentication method to use. The acceptable values for this parameter are:

  • Negotiate or 0
  • Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

Type:ADAuthType
Accepted values:Negotiate, Basic
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ForceRemoveLocal

Indicates that you can remove the account from the local security authority (LSA) if there is no access to a writable domain controller. This is required if you are uninstalling the MSA from a server that is placed in a segmented network such as a perimeter network with access only to a read-only domain controller. If you specify this parameter and the server has access to a writable domain controller, the account is also un-linked from the computer account in the directory.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Identity

Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute. The acceptable values for this parameter are:

  • A Distinguished Name
  • A GUID (objectGUID)
  • A Security Identifier (objectSid)
  • A SAM Account Name (sAMAccountName)

The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

Type:ADServiceAccount
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None or Microsoft.ActiveDirectory.Management.ADServiceAccount

A managed service account object is received by the Identity parameter. A parameter with name ForceRemoveLocal is provided to un-install standalone MSAs on a read-only domain controller site.

Outputs

None

Notes

  • This cmdlet does not work with AD LDS.
  • This cmdlet does not work with an Active Directory snapshot.
  • This cmdlet does not work with a read-only domain controller.