Uninstall-ADServiceAccount
Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer.
Syntax
Uninstall-ADServiceAccount
[-WhatIf]
[-Confirm]
[-AuthType <ADAuthType>]
[-ForceRemoveLocal]
[-Identity] <ADServiceAccount>
[<CommonParameters>] Description
The Uninstall-ADServiceAccount cmdlet removes an Active Directory standalone managed service account (MSA) on the computer on which the cmdlet is run. For group MSAs, the cmdlet removes the group MSA from the cache, however, if a service is still using the group MSA and the host has permission to retrieve the password a new cache entry will be created. The specified MSA must be installed on the computer.
The Identity parameter specifies the Active Directory MSA to uninstall. You can identify a MSA by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the parameter to a MSA object variable, such as $<localServiceAccountObject> or pass a MSA object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount to get a MSA object and then pass that object through the pipeline to the Uninstall-ADServiceAccount cmdlet.
For standalone MSA, the ForceRemoveLocal switch parameter will allow you to remove the account from the local LSA without failing the command if an access to a writable DC is not possible. This is required if you are uninstalling the standalone MSA from a server that is placed in a segmented network (i.e. perimeter network) with access only to an RODC. If you pass this parameter and the server has access to a writable DC the standalone MSA will be un-linked from the computer account in the directory as well.
Examples
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Uninstall-ADServiceAccount -Identity SQL-SRV1Description
Uninstall the managed service account SQL-SRV1 from the local machine.
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Uninstall-ADServiceAccount sql-hr-01 -ForceRemoveLocalDescription
Uninstall a standalone Managed Service Account from a server located in a RODC-only site with no access to writable DCs such as a perimeter network.
Parameters
-AuthType
Specifies the authentication method to use. Possible values for this parameter include:
Negotiate or 0
Basic or 1
The default authentication method is Negotiate.
A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.
The following example shows how to set this parameter to Basic.
-AuthType Basic
| Type: | ADAuthType |
| Accepted values: | Negotiate, Basic |
| Position: | Named |
| Default value: | Microsoft.ActiveDirectory.Management.AuthType.Negotiate |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ForceRemoveLocal
The ForceRemoveLocal switch parameter will allow you to remove the account from the local LSA without failing the command if an access to a writable DC is not possible. This is required if you are uninstalling the MSA from a server that is placed in a segmented network (i.e. perimeter network) with access only to an RODC. If you pass this parameter and the server has access to a writable DC the account will be un-linked from the computer account in the directory as well.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Identity
Specifies an Active Directory account object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.
Distinguished Name
Example: CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
SAM Account Name (sAMAccountName)
Example: WebAccount$
The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get this object through the pipeline or you can set this parameter to an object instance.
This example shows how to set the parameter to a distinguished name.
-Identity "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=contoso,DC=com"
This example shows how to set this parameter to an account object instance named "AccountInstance".
-Identity $AccountInstance
| Type: | ADServiceAccount |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None or Microsoft.ActiveDirectory.Management.ADServiceAccount
A managed service account object is received by the Identity parameter. A switch parameter with name ForceRemoveLocal is provided to un-install standalone MSAs on a RODC only site.
Outputs
None
Notes
This cmdlet does not work with AD LDS.
This cmdlet does not work with an Active Directory Snapshot.
This cmdlet does not work with a read-only domain controller.
Related Links
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for