| Author | Drew Furgiuele (@pittfurg), port1433.com |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Remove-DbaSpn on GitHub.
Want to see the Bill Of Health for this command? Check out Remove-DbaSpn.
Removes an SPN for a given service account in active directory and also removes delegation to the same SPN, if found
This function will connect to Active Directory and search for an account. If the account is found, it will attempt to remove the specified SPN. Once the SPN is removed, the function will also remove delegation to that service.
In order to run this function, the credential you provide must have write access to Active Directory.
Remove-DbaSpn
[-SPN] <String>
[-ServiceAccount] <String>
[[-Credential] <PSCredential>]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> Remove-DbaSpn -SPN MSSQLSvc\SQLSERVERA.domain.something -ServiceAccount domain\account
Connects to Active Directory and removes a provided SPN from the given account (and also the relative delegation)
PS C:\> Remove-DbaSpn -SPN MSSQLSvc\SQLSERVERA.domain.something -ServiceAccount domain\account -EnableException
Connects to Active Directory and removes a provided SPN from the given account, suppressing all error messages and throw exceptions that can be caught instead
PS C:\> Remove-DbaSpn -SPN MSSQLSvc\SQLSERVERA.domain.something -ServiceAccount domain\account -Credential ad\sqldba
Connects to Active Directory and removes a provided SPN to the given account. Uses alternative account to connect to AD.
PS C:\> Test-DbaSpn -ComputerName sql2005 | Where-Object { $_.isSet -eq $true } | Remove-DbaSpn -WhatIf
Shows what would happen trying to remove all set SPNs for sql2005 and the relative delegations
PS C:\> Test-DbaSpn -ComputerName sql2005 | Where-Object { $_.isSet -eq $true } | Remove-DbaSpn
Removes all set SPNs for sql2005 and the relative delegations
The SPN you want to remove
| Alias | RequiredSPN |
| Required | True |
| Pipeline | true (ByPropertyName) |
| Default Value |
The account you want the SPN remove from
| Alias | InstanceServiceAccount,AccountName |
| Required | True |
| Pipeline | true (ByPropertyName) |
| Default Value |
The credential you want to use to connect to Active Directory to make the changes
| Alias | |
| Required | False |
| Pipeline | true (ByPropertyName) |
| Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Shows what would happen if the command was executed
| Alias | wi |
| Required | False |
| Pipeline | false |
| Default Value |
Turns confirmations before changes on or off
| Alias | cf |
| Required | False |
| Pipeline | false |
| Default Value |