You have a group Managed Service Account named Service01. Three servers named Server01,
Server02, and Server03 currently use the Service01 service account.
You plan to decommission Server01.
You need to remove the cached password of the Service01 service account from Server01. The
solution must ensure that Server02 and Server 03 continue to use Service01.
Which cmdlet should you run?
A.
Set-ADServiceAccount
B.
Remove-ADServiceAccount
C.
Uninstall-ADServiceAccount
D.
Reset-ADServiceAccountPassword
Explanation:
The Remove-ADServiceAccount cmdlet removes an Active Directory service account. This cmdlet
does not make changes to any computers that use the service account. After this operation, the
service account is no longer hosted on the target computer but still exists in the directory.
Incorrect:
Not C: The Uninstall-ADServiceAccount cmdlet removes an Active Directory service account on the
computer on which the cmdlet is run. The specified service account must be installed on the
computer.Remove-ADServiceAccount
https://technet.microsoft.com/en-us/library/ee617190.aspx
Provided answer may be incorrect.
https://technet.microsoft.com/en-us/library/jj128431.aspx#BKMK_DecommMemberHosts specifically states that the command to remove cached gMSA credentials from a server is, in fact, Uninstall-ADServiceAccount
agree
It clearly states “Remove the cached gMSA credentials from the member host using Uninstall-ADServiceAccount or the NetRemoveServiceAccount API on the host system”
For example, to remove the cached credentials for a gMSA named ITFarm1 type the following command, and then press ENTER
Uninstall-ADServiceAccount ITFarm1
Uninstall-ADserviceaccount
http://www.netid.washington.edu/documentation/groupManagedServiceAccounts.aspx
However, The Remove-ADServiceAccount command says it will not affect other computers.
https://technet.microsoft.com/en-us/library/ee617190.aspx
Yes it will, The account will still be on the other servers BUT IT WILL BE GONE FROM ACTIVE DIRECTORY MAKING IT UNUSABLE.
Set-ADServiceAccount – https://technet.microsoft.com/en-us/library/ee617252.aspx
Uninstall-ADServiceAccount – https://technet.microsoft.com/en-us/library/ee617202.aspx
Uninstalls an Active Directory service account from a computer. -The Uninstall-ADServiceAccount cmdlet removes an Active Directory service account on the computer on which the cmdlet is run. The specified service account must be installed on the computer.
Remove-ADServiceAccount – https://technet.microsoft.com/en-us/library/ee617190.aspx
Remove an Active Directory service account. – The Remove-ADServiceAccount cmdlet removes an Active Directory service account. This cmdlet does not make changes to any computers that use the service account. After this operation, the service account is no longer hosted on the target computer but still exists in the directory.
Reset-ADServiceAccountPassword – https://technet.microsoft.com/en-us/library/ee617201.aspx
Resets the service account password for a computer.
The Reset-ADServiceAccountPassword cmdlet resets the service account password for the local computer. This cmdlet needs to be run on the computer where the service account is installed
in my opinion
possible are B&C
C. must be “The specified service account must be installed on the computer.”
B. is the closest in my opinion,..
is there somone with a better answer
* this question exist allsow with Account01=Service01
OK, after closer looking at f_idiot’s link, it looks like the Uninstall should be used to get rid of the cached credentials. The Remove is used to remove it from AD. The Help is not terribly clear on these things.
It looks like using Uninstall-ADSERVICEACCOUNT updates active directory…
https://www.petri.com/managed-service-accounts-3
https://technet.microsoft.com/en-us/library/ee617190.aspx