You have a group Managed Service Account named Service01. Three servers named Server01,
Server02, and Server03 currently use the Service01 service account.
You plan to decommission Server01.
You need to remove the cached password of the Service01 service account from Server01. The
solution must ensure that Server02 and Server 03 continue to use Service01.
Which cmdlet should you run?
A.
Set-ADServiceAccount
B.
Remove-ADServiceAccount
C.
Uninstall-ADServiceAccount
D.
Reset-ADServiceAccountPassword
Explanation:
The Remove-ADServiceAccount cmdlet removes an Active Directory service account. This cmdlet
does not make changes to any computers that use the service account. After this operation, the
service account is no longer hosted on the target computer but still exists in the directory.
Incorrect:
Not C: The Uninstall-ADServiceAccount cmdlet removes an Active Directory service account on the
computer on which the cmdlet is run. The specified service account must be installed on the
computer.Remove-ADServiceAccount
https://technet.microsoft.com/en-us/library/ee617190.aspx
It’s C.
Uninstall-ADServiceAccount
0
0
Siple,
Remove command deletes account from domain but question is “solution must ensure that Server02 and Server 03 continue to use Service01”
Only uninstall
1
0
agree
0
0
Answer=C
Uninstall-ADServiceAccount
Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer.
Parameter Set: Default
Uninstall-ADServiceAccount [-Identity] [-AuthType {Negotiate | Basic} ] [-ForceRemoveLocal] [-Confirm] [-WhatIf] [ ]
0
0
I believe the answer is C: Uninstall ADServiceAccount.
Remove the cached gMSA credentials from the member host using Uninstall-ADServiceAccount or the NetRemoveServiceAccount API on the host system.
Uninstall-ADServiceAccount
Example –> to remove the cached credentials for a gMSA named ITFarm1 type the following command, and then press ENTER:
Uninstall-ADServiceAccount ITFarm1
https://technet.microsoft.com/en-us/library/jj128431.aspx
0
0
Answer C
following pikapoka
0
0
tested in my lab, answer is Uninstall-adserviceaccount.
remove-adserviceaccount – deleted the group managed service account from the whole of AD (although MS documentation says otherwise)
the trick is in what here is unsaid. I.E.group managed service accounts rely on a very important parameter: Principals allowed to retrieve password.
This is the list of servers that can get the service account password from the DC. If a server is not in the list and never run the service account, it won’t be able to use the account as it CAN NOT get the password.
If a server is on the list, runs the account and gets removed later. It will still be able to use the service account as the password is cached. Only removing the server from the list of allowed ones and uninstalling the service account from the server, will clear the cached service account password.
in a nutshell, to decommission a server and remove the cached service account credentials:
1. remove the server form the allowed to retrieve password list
2. run uninstall-ADserviceaccount
http://www.aiotestking.com/microsoft/which-cmdlet-should-you-run-209/
0
0
Since Server is going to decommission. So Remove-ADServiceAccount is the right cmdlet to remove the account permanently from the Target Server.
The Remove-ADServiceAccount cmdlet removes an Active Directory service account. This cmdlet does not make changes to any computers that use the service account. After this operation, the service account is no longer hosted on the target computer but still exists in the directory.
1
0