You have a group Managed Service Account named Service01. Three servers named Server01,
Server02, and Server03 currently use the Service01 service account.
You plan to decommission Server01.
You need to remove the cached password of the Service01 service account from Server01. The
solution must ensure that Server02 and Server 03 continue to use Service01.
Which cmdlet should you run?
A.
Set-ADServiceAccount
B.
Remove-ADServiceAccount
C.
Uninstall-ADServiceAccount
D.
Reset-ADServiceAccountPassword
Explanation:
The Remove-ADServiceAccount cmdlet removes an Active Directory service account. This cmdlet
does not make changes to any computers that use the service account. After this operation, the
service account is no longer hosted on the target computer but still exists in the directory.
Incorrect:
Not C: The Uninstall-ADServiceAccount cmdlet removes an Active Directory service account on the
computer on which the cmdlet is run. The specified service account must be installed on the
computer.Remove-ADServiceAccount
https://technet.microsoft.com/en-us/library/ee617190.aspx
i’m not shure but:
Set-ADServiceAccount – https://technet.microsoft.com/en-us/library/ee617252.aspx
Uninstall-ADServiceAccount – https://technet.microsoft.com/en-us/library/ee617202.aspx
Uninstalls an Active Directory service account from a computer. -The Uninstall-ADServiceAccount cmdlet removes an Active Directory service account on the computer on which the cmdlet is run. The specified service account must be installed on the computer.
Remove-ADServiceAccount – https://technet.microsoft.com/en-us/library/ee617190.aspx
Remove an Active Directory service account. – The Remove-ADServiceAccount cmdlet removes an Active Directory service account. This cmdlet does not make changes to any computers that use the service account. After this operation, the service account is no longer hosted on the target computer but still exists in the directory.
Reset-ADServiceAccountPassword – https://technet.microsoft.com/en-us/library/ee617201.aspx
Resets the service account password for a computer.
The Reset-ADServiceAccountPassword cmdlet resets the service account password for the local computer. This cmdlet needs to be run on the computer where the service account is installed
Actual command:
Set-ADServiceAccount -Name Account01 -PrincipalsAllowedToRetrieveManagedPassword Server02 Server03
m i right?
0
0
similar question:
You have a group managed Service Account name Account01.
Only three servers named Server01, Server02 and Server03 are allowed to use Account01 service account.
You plan to decommission Server01.
You need to prevent Server01 from using the Account01 service account.
The solution must ensure that Server02 and Server03 continue to use the Account01 service account
What command should you run?
To answer, select the appropriate options in the answer area.
1
0
Question is vague:
You can Uninstall-ADServiceAccount locally from Server01, the AD account remains, it doesn’t affect Server02 and Server03.
Remove-ADServiceAccount removes the Active Directory Service Account but it does not remove it from Server01, Server02, and Server03.
Excerpt from the MS Exam Reference Guide 70-411:
Removing an MSA
You can remove an MSA from a computer by using Windows PowerShell. You can remove
it from the current computer by using the Uninstall-ADServiceAccount cmdlet on the local computer where it was installed. Then remove the assignment to the computer by using the Remove-ADComputerServiceAccount cmdlet. This process leaves the MSA in place in Active Directory but not assigned to a specific computer, allowing you to reuse the account on another computer. To remove the MSA entirely from Active Directory, use the Remove-ADServiceAccount cmdlet.
Move vote is for C
2
0
Great description mate thankyou for your comments
0
0
“Step 2: Removing a group Managed Service Account from the system
Remove the cached gMSA credentials from the member host using Uninstall-ADServiceAccount or the NetRemoveServiceAccount API on the host system….”
https://technet.microsoft.com/en-us/library/jj128431.aspx
from question: “…You need to remove the cached password..”
Like Robert I say C
1
0
Remove-ADServiceAccount
Remove-ADServiceAccount
Remove an Active Directory service account.
Syntax
Remove-ADServiceAccount [-Identity] [-AuthType { | }] [-Credential ] [-Partition ] [-Server ] [-Confirm] [-WhatIf] []
Detailed Description
The Remove-ADServiceAccount cmdlet removes an Active Directory service account. This cmdlet does not make changes to any computers that use the service account. After this operation, the service account is no longer hosted on the target computer but still exists in the directory.
The Identity parameter specifies the Active Directory service account to remove. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also set the Identity parameter to a service account object variable, such as $, or you can pass a service account object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a service account object and then pass the object through the pipeline to the Remove-ADServiceAccount cmdlet.
Note: Removing the service account is a different operation than uninstalling the service account locally.
0
0
tested in my lab, answer is Uninstall-adserviceaccount.
remove-adserviceaccount – deleted the group managed service account from the whole of AD (although MS documentation says otherwise)
the trick is in what here is unsaid. I.E.group managed service accounts rely on a very important parameter: Principals allowed to retrieve password.
This is the list of servers that can get the service account password from the DC. If a server is not in the list and never run the service account, it won’t be able to use the account as it CAN NOT get the password.
If a server is on the list, runs the account and gets removed later. It will still be able to use the service account as the password is cached. Only removing the server from the list of allowed ones and uninstalling the service account from the server, will clear the cached service account password.
in a nutshell, to decommission a server and remove the cached service account credentials:
1. remove the server form the allowed to retrieve password list
2. run uninstall-ADserviceaccount
0
0
It is C.
See the following link:https://itconnect.uw.edu/wares/msinf/ous/gmsa/
0
0
Agree C
https://www.petri.com/managed-service-accounts-3
0
0