開始使用群組管理帳號服務Getting Started with Group Managed Service Accounts

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本指南讓和 Windows Server 2012 中使用 [群組管理服務帳號,提供逐步指示與背景資訊。This guide provides step-by-step instructions and background information for enabling and using group Managed Service Accounts in Windows Server 2012 .

本文件In this document

注意

本主題包含範例 Windows PowerShell cmdlet 可供您將部分所述的程序。This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. 如需詳細資訊,請查看使用 CmdletFor more information, see Using Cmdlets.

必要條件Prerequisites

查看此主題中的區段上適用於群組管理服務帳號需求See the section in this topic on Requirements for group Managed Service Accounts.

簡介Introduction

當 client 的電腦連接到所有伺服器都似乎是 client 相同服務伺服器發電廠使用網路負載平衡 (NLB) 或其他方法是裝載的服務時,然後支援互加好友的驗證,例如 Kerberos 驗證通訊協定無法使用除非服務的所有的執行個體使用相同的原則。When a client computer connects to a service which is hosted on a server farm using network load balancing (NLB) or some other method where all the servers appear to be the same service to the client, then authentication protocols supporting mutual authentication such as Kerberos cannot be used unless all the instances of the services use the same principal. 這表示使用相同的密碼日金鑰證明他們的身分,有每個服務。This means that each service has to use the same passwords/keys to prove their identity.

注意

容錯 gMSAs 不支援。Failover clusters do not support gMSAs. 不過,上方叢集服務執行的服務,可以使用 gMSA 或 sMSA 如果他們的 Windows 服務,應用程式集區排定的工作,或原生支援 gMSA 或 sMSA。However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.

服務已可供選擇,下列原則,每一個都有特定的限制。Services have the following principals from which to choose, and each has certain limitations.

原則Principals 範圍Scope 支援服務Services supported 密碼管理Password management
電腦的 Windows Account 系統Computer Account of Windows system 網域Domain 一個網域限於加入伺服器Limited to one domain joined server 電腦管理Computer manages
電腦帳號,而 Windows 系統Computer Account without Windows system 網域Domain 任何網域結合的伺服器Any domain joined server None
Virtual AccountVirtual Account 本機Local 一部伺服器限於Limited to one server 電腦管理Computer manages
Windows 7 獨立管理服務 AccountWindows 7 standalone Managed Service Account 網域Domain 一個網域限於加入伺服器Limited to one domain joined server 電腦管理Computer manages
使用者 AccountUser Account 網域Domain 任何網域結合的伺服器Any domain joined server None
群組多媒體受管理的服務 AccountGroup Managed Service Account 網域Domain 任何 Windows Server 2012 加入網域的伺服器Any Windows Server 2012 domain-joined server 管理網域控制站,並擷取主機The domain controller manages, and the host retrieves

Windows 電腦帳號或 Windows 7 獨立管理服務 Account (sMSA),或在多個系統 virtual 帳號無法共用。A Windows computer account, or a Windows 7 standalone Managed Service Account (sMSA), or virtual accounts cannot be shared across multiple systems. 如果您要分享的伺服器農場上設定服務帳號,您必須選取 [使用者 account 或電腦帳號,除了 Windows 系統。If you configure one account for services on server farms to share, you would have to choose a user account or a computer account apart from a Windows system. 兩種方式,這些帳號不需要的單點-控制密碼管理功能。Either way, these accounts do not have the capability of single-point-of-control password management. 這會每個組織建立更新服務 Active Directory 中按鍵,然後將傳送那些服務的所有執行個體按鍵便宜方案所需位置的問題。This creates problem where each organization needs to create an expensive solution to update keys for the service in Active Directory and then distribute the keys to all instances of those services.

與 Windows Server 2012、 服務或服務的系統管理員不需要管理密碼同步之間使用群組管理服務帳號 (gMSA) 時的服務執行個體。With Windows Server 2012 , services or service administrators do not need to manage password synchronization between service instances when using group Managed Service Accounts (gMSA). 您提供中廣告的 gMSA,然後設定的支援管理服務帳號服務。You provision the gMSA in AD and then configure the service which supports Managed Service Accounts. 您可以提供 gMSA 使用 *-ADServiceAccount cmdlet 的 Active Directory 模組的一部分。You can provision a gMSA using the *-ADServiceAccount cmdlets which are part of the Active Directory module. 支援服務主機的身分設定:Service identity configuration on the host is supported by:

  • 為 sMSA,因此支援 sMSA 你會支援 gMSA 相同 ApiSame APIs as sMSA, so products which support sMSA will support gMSA

  • 服務的使用服務控制項管理員的身分登入的設定Services which use Service Control Manager to configure logon identity

  • 使用應用程式集區 IIS 管理員設定身分服務Services which use the IIS manager for application pools to configure identity

  • 使用工作排程工作。Tasks using Task Scheduler.

適用於群組管理服務帳號需求Requirements for group Managed Service Accounts

下表列出 Kerberos 驗證搭配使用 gMSA 服務的作業系統系統需求。The following table lists the operating system requirements for Kerberos authentication to work with services using gMSA. 之後表格列出的 Active Directory 需求。The Active Directory requirements are listed after the table.

64 位元架構,才能執行 Windows PowerShell 命令可用來管理管理服務帳號群組。A 64-bit architecture is required to run the Windows PowerShell commands used to administer group Managed Service Accounts.

系統需求Operating system requirements

項目Element 需求Requirement 作業系統Operating system
Client 的應用程式主機Client Application host 相容 Kerberos client RFCRFC compliant Kerberos client 在至少 Windows XPAt least Windows XP
使用者 account 網域 DcUser account's domain DCs RFC 相容 KDCRFC compliant KDC 在至少 Windows Server 2003At least Windows Server 2003
共用的服務成員主機Shared service member hosts Windows Server 2012Windows Server 2012
成員主機網域 DcMember host's domain DCs RFC 相容 KDCRFC compliant KDC 在至少 Windows Server 2003At least Windows Server 2003
gMSA account 網域 DcgMSA account's domain DCs Windows Server 2012 Dc 適用於主機擷取密碼Windows Server 2012 DCs available for host to retrieve the password Windows Server 2012 是可使用某些系統更早版本與 Windows Server 2012 的網域Domain with Windows Server 2012 which can have some systems earlier than Windows Server 2012
後端服務主機Backend service host RFC 相容 Kerberos 應用程式伺服器RFC compliant Kerberos application server 在至少 Windows Server 2003At least Windows Server 2003
後端服務 account 的網域 DcBackend service account's domain DCs RFC 相容 KDCRFC compliant KDC 在至少 Windows Server 2003At least Windows Server 2003
Windows PowerShell 的 Active DirectoryWindows PowerShell for Active Directory Active Directory 安裝在本機電腦支援 64 位元架構 (例如,使用遠端伺服器管理工具組) 管理遠端電腦上的 Windows PowerShellWindows PowerShell for Active Directory installed locally on a computer supporting a 64-bit architecture or on your remote management computer (for example, using the Remote Server Administration Toolkit) Windows Server 2012Windows Server 2012

Active Directory Domain 服務需求Active Directory Domain Service requirements

  • 需要更新,以建立 gMSA Windows Server 2012 中 gMSA 網域的樹系的 Active Directory 結構描述。The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 to create a gMSA.

    您可以在執行 Windows Server 2012 」 的網域控制站的安裝或執行 Windows Server 2012 的電腦執行的版本 adprep.exe 更新架構。You can update the schema by installing a domain controller that runs Windows Server 2012 or by running the version of adprep.exe from a computer running Windows Server 2012 . 物件版本屬性值物件 DATA-CN = 區結構描述 DATA-CN = 設定,俠 = Contoso 特區 = Com 必須 52。The object-version attribute value for the object CN=Schema,CN=Configuration,DC=Contoso,DC=Com must be 52.

  • 提供的新 gMSA accountNew gMSA account provisioned

  • 如果您使用由群組,然後新增或現有安全性群組 gMSA 服務主機權限管理If you are managing the service host permission to use gMSA by group, then new or existing security group

  • 如果在管理群組,然後新增或現有安全性群組服務存取控制If managing service access control by group, then new or existing security group

  • 如果第一個主要根金鑰的 Active Directory 部署,不網域中,或是尚未建立,然後建立它。If the first master root key for Active Directory is not deployed in the domain or has not been created, then create it. 在操作 KdsSvc 登入,事件 ID 4004 經過建立的結果。The result of its creation can be verified in the KdsSvc Operational log, Event ID 4004.

適用於指示如何建立鍵,查看建立鍵 Distribution 服務 KDS 根金鑰For instructions how to create the key, see Create the Key Distribution Services KDS Root Key. Microsoft 金鑰 Distribution 服務 (kdssvc.dll) 根金鑰的廣告。Microsoft Key Distribution Service (kdssvc.dll) the root key for AD.

週期Lifecycle

伺服器陣列通常使用 gMSA 功能的週期包含下列工作:The lifecycle of a server farm using the gMSA feature typically involves the following tasks:

  • 部署新的伺服器陣列Deploying a new server farm

  • 新增成員主機現有伺服器陣列Adding member hosts to an existing server farm

  • 從現有的伺服器發電廠解除委任成員主機Decommissioning member hosts from an existing server farm

  • 解除委任現有伺服器陣列Decommissioning an existing server farm

  • 必要時移除伺服器陣列危害的成員主機。Removing a compromised member host from a server farm if required.

部署新的伺服器陣列Deploying a new server farm

當部署新的伺服器陣列服務系統管理員必須以判斷:When deploying a new server farm, the service administrator will need to determine:

  • 如果服務支援使用 gMSAsIf the service supports using gMSAs

  • 如果服務會要求驗證輸入或輸出連接情形If the service requires inbound or outbound authenticated connections

  • 使用 gMSA 服務成員主機電腦 account 名稱The computer account names for the member hosts for the service using the gMSA

  • 服務 NetBIOS 名稱The NetBIOS name for the service

  • 主機 DNS 名稱服務The DNS host name for the service

  • 服務主體名稱 (Spn) 服務The Service Principal Names (SPNs) for the service

  • 變更密碼間隔 (預設值為 30 天)。The password change interval (default is 30 days).

步驟 1: 提供管理服務帳號群組Step 1: Provisioning group Managed Service Accounts

您可以建立 gMSA 才樹系架構已更新至 Windows Server 2012、 主要根金鑰的 Active Directory 部署,及 gMSA 會建立的網域中有一個以上的 Windows Server 2012 俠。You can create a gMSA only if the forest schema has been updated to Windows Server 2012 , the master root key for Active Directory has been deployed, and there is at least one Windows Server 2012 DC in the domain in which the gMSA will be created.

資格在網域系統管理員Account 電信業者或功能來建立 msDS-GroupManagedServiceAccount 物件,才能完成下列程序最小值。Membership in Domain Admins, Account Operators or ability to create msDS-GroupManagedServiceAccount objects, is the minimum required to complete the following procedures.

若要建立 gMSA 使用新的 ADServiceAccount cmdletTo create a gMSA using the New-ADServiceAccount cmdlet

  1. Windows Server 2012 網域控制站,從工作列上執行 Windows PowerShell。On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. Windows PowerShell 命令提示字元中,輸入下列命令,以及然後按 ENTER 鍵。At the command prompt for the Windows PowerShell, type the following commands, and then press ENTER. (Active Directory 模組將會自動載入。)(The Active Directory module will load automatically.)

    新 ADServiceAccount [-名稱] -只能用[-KerberosEncryptionType ] [-ManagedPasswordIntervalInDays < Null [Int32] >] [-PrincipalsAllowedToRetrieveManagedPassword < ADPrincipal [>]-SamAccountName -ServicePrincipalNames < 字串 [>New-ADServiceAccount [-Name] -DNSHostName [-KerberosEncryptionType ] [-ManagedPasswordIntervalInDays <Nullable[Int32]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>] -SamAccountName -ServicePrincipalNames <string[]>

    參數Parameter 字串String 範例Example
    名稱Name Account 的名稱Name of the account ITFarm1ITFarm1
    只能用DNSHostName 服務主機 DNS 名稱DNS host name of service ITFarm1.contoso.comITFarm1.contoso.com
    KerberosEncryptionTypeKerberosEncryptionType 支援的主機伺服器任何加密類型Any encryption types supported by the host servers RC4,AES128,AES256RC4, AES128, AES256
    ManagedPasswordIntervalInDaysManagedPasswordIntervalInDays 密碼變更間隔天 (預設是 30 天如果不提供)Password change interval in days (default is 30 days if not provided) 9090
    PrincipalsAllowedToRetrieveManagedPasswordPrincipalsAllowedToRetrieveManagedPassword 電腦帳戶成員主機或安全小組的成員主機的成員The computer accounts of the member hosts or the security group that the member hosts are a member of ITFarmHostsITFarmHosts
    SamAccountNameSamAccountName 如果無法為服務 NetBIOS 相同名稱NetBIOS name for the service if not same as Name ITFarm1ITFarm1
    ServicePrincipalNamesServicePrincipalNames 服務主體名稱 (Spn) 服務Service Principal Names (SPNs) for the service http/ITFarm1.contoso.com/contoso.com,http/ITFarm1.contoso.com/contoso、 http/ITFarm1/contoso.com,以 contoso http 日 ITFarm1http/ITFarm1.contoso.com/contoso.com, http/ITFarm1.contoso.com/contoso, http/ITFarm1/contoso.com, http/ITFarm1/contoso

    重要

    只可在 [建立設定密碼變更長的時間間隔。The password change interval can only be set during creation. 如果您需要變更長的時間間隔,您必須建立新的 gMSA 並將其設定建立的時間。If you need to change the interval, you must create a new gMSA and set it at creation time.

    範例Example

    即使它們可能會出現換透過以下幾個行因為格式限制,請在同一行、 輸入命令。Enter the command on a single line, even though they might appear word-wrapped across several lines here because of formatting constraints.

    New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.contoso.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts -KerberosEncryptionType RC4, AES128, AES256 -ServicePrincipalNames http/ITFarm1.contoso.com/contoso.com, http/ITFarm1.contoso.com/contoso, http/ITFarm1/contoso.com, http/ITFarm1/contoso
    

在成員資格網域系統管理員Account 電信業者,或建立 msDS-GroupManagedServiceAccount 物件,才能完成此程序最小值。Membership in Domain Admins, Account Operators, or ability to create msDS-GroupManagedServiceAccount objects, is the minimum required to complete this procedure. 適用於使用適當帳號和群組成員資格的詳細資訊,請查看本機和網域預設群組For detailed information about using the appropriate accounts and group memberships, see Local and Domain Default Groups.

建立輸出驗證 gMSA 僅使用新的 ADServiceAccount cmdletTo create a gMSA for outbound authentication only using the New-ADServiceAccount cmdlet
  1. Windows Server 2012 網域控制站,從工作列上執行 Windows PowerShell。On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. Windows PowerShell Active Directory 模組的命令提示字元中,輸入下列命令,,然後按 ENTER 鍵:At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    新 ADServiceAccount [-名稱] -RestrictToOutboundAuthenticationOnly [-ManagedPasswordIntervalInDays < Null [Int32] >] [-PrincipalsAllowedToRetrieveManagedPassword < ADPrincipal [>]New-ADServiceAccount [-Name] -RestrictToOutboundAuthenticationOnly [-ManagedPasswordIntervalInDays <Nullable[Int32]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>]

    參數Parameter 字串String 範例Example
    名稱Name Account 名稱Name the account ITFarm1ITFarm1
    ManagedPasswordIntervalInDaysManagedPasswordIntervalInDays 密碼變更間隔天 (預設是 30 天如果不提供)Password change interval in days (default is 30 days if not provided) 7575
    PrincipalsAllowedToRetrieveManagedPasswordPrincipalsAllowedToRetrieveManagedPassword 電腦帳戶成員主機或安全小組的成員主機的成員The computer accounts of the member hosts or the security group that the member hosts are a member of ITFarmHostsITFarmHosts

    重要

    只可在 [建立設定密碼變更長的時間間隔。The password change interval can only be set during creation. 如果您需要變更長的時間間隔,您必須建立新的 gMSA 並將其設定建立的時間。If you need to change the interval, you must create a new gMSA and set it at creation time.

範例Example

New-ADServiceAccount ITFarm1 -RestrictToOutboundAuthenticationOnly - PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts

步驟 2: 設定服務的身分應用程式Step 2: Configuring service identity application service

若要在 Windows Server 2012 中設定服務,查看下列功能文件:To configure the services in Windows Server 2012 , see the following feature documentation:

其他服務可能會支援 gMSA。Other services could support gMSA. 如何設定這些服務看到適當 product 文件,如需詳細資訊。See the appropriate product documentation for details on how to configure those services.

新增成員主機現有伺服器陣列Adding member hosts to an existing server farm

如果使用安全性群組管理成員主機,新增新成員主機 (的 gMSA 的成員主機的成員) 安全性群組的電腦帳號使用其中一項下列方法。If using security groups for managing member hosts, add the computer account for the new member host to the security group (that the gMSA's member hosts are a member of) using one of the following methods.

資格在網域系統管理員,或新增安全性群組物件,成員的功能,才能完成這些程序最小值。Membership in Domain Admins, or the ability to add members to the security group object, is the minimum required to complete these procedures.

如果使用電腦帳號,尋找現有帳號,並再新增新的電腦 account。If using computer accounts, find the existing accounts and then add the new computer account.

資格在網域系統管理員Account 電信業者,或管理 msDS-GroupManagedServiceAccount 物件,才能完成此程序最小值。Membership in Domain Admins, Account Operators, or ability to manage msDS-GroupManagedServiceAccount objects, is the minimum required to complete this procedure. 使用群組成員資格與帳號適當的詳細資訊,會看到本機和網域預設的群組。For detailed information about using the appropriate accounts and group memberships, see Local and Domain Default Groups.

新增成員主機使用 [設定-ADServiceAccount cmdletTo add member hosts using the Set-ADServiceAccount cmdlet

  1. Windows Server 2012 網域控制站,從工作列上執行 Windows PowerShell。On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. Windows PowerShell Active Directory 模組的命令提示字元中,輸入下列命令,,然後按 ENTER 鍵:At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    取得-ADServiceAccount [-名稱] -PrincipalsAllowedToRetrieveManagedPasswordGet-ADServiceAccount [-Name] -PrincipalsAllowedToRetrieveManagedPassword

  3. Windows PowerShell Active Directory 模組的命令提示字元中,輸入下列命令,,然後按 ENTER 鍵:At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    設定-ADServiceAccount [-名稱] -PrincipalsAllowedToRetrieveManagedPassword < ADPrincipal [>Set-ADServiceAccount [-Name] -PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>

參數Parameter 字串String 範例Example
名稱Name Account 名稱Name the account ITFarm1ITFarm1
PrincipalsAllowedToRetrieveManagedPasswordPrincipalsAllowedToRetrieveManagedPassword 電腦帳戶成員主機或安全小組的成員主機的成員The computer accounts of the member hosts or the security group that the member hosts are a member of Host1,Host2,Host3Host1, Host2, Host3

範例Example

例如,新增成員主機輸入下列命令,,然後按 ENTER 鍵。For example, to add member hosts type the following commands, and then press ENTER.

Get-ADServiceAccount [-Name] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword
Set-ADServiceAccount [-Name] ITFarm1-PrincipalsAllowedToRetrieveManagedPassword Host1 Host2 Host3

更新群組管理服務 Account 屬性Updating the group Managed Service Account properties

資格在網域系統管理員Account 電信業者,或撰寫 msDS-GroupManagedServiceAccount 物件,才能完成這些程序最小值。Membership in Domain Admins, Account Operators, or the ability to write to msDS-GroupManagedServiceAccount objects, is the minimum required to complete these procedures.

打開 Active Directory 模組適用於 Windows PowerShell,並使用 [設定-ADServiceAccount cmdlet 設定任何屬性。Open the Active Directory Module for Windows PowerShell, and set any property by using the Set-ADServiceAccount cmdlet.

如需詳細資訊如何設定這些屬性,請查看設定-ADServiceAccount於 TechNet Library,或輸入取得-協助的設定 ADServiceAccount的 Windows PowerShell 模組 Active Directory 在命令提示文字,然後按 ENTER。For detailed information how to set these properties, see Set-ADServiceAccount in the TechNet Library or by typing Get-Help Set-ADServiceAccount at the Active Directory module for Windows PowerShell command prompt and pressing ENTER.

從現有的伺服器發電廠解除委任成員主機Decommissioning member hosts from an existing server farm

資格在網域系統管理員,或功能移除安全性群組物件的成員,才能完成這些程序最小值。Membership in Domain Admins, or ability to remove members from the security group object, is the minimum required to complete these procedures.

步驟 1: 移除 gMSA 成員主機Step 1: Remove member host from gMSA

如果使用安全性群組管理成員主機,請移除電腦帳號從 gMSA 的成員主機的成員,使用下列方法的安全性群組成員退役主機。If using security groups for managing member hosts, remove the computer account for the decommissioned member host from the security group that the gMSA's member hosts are a member of using either of the following methods.

如果電腦帳號,藉以擷取現有帳號,並移除的電腦 account 以外的所有再新增。If listing computer accounts, retrieve the existing accounts and then add all but the removed computer account.

資格在網域系統管理員Account 電信業者,或管理 msDS-GroupManagedServiceAccount 物件,才能完成此程序最小值。Membership in Domain Admins, Account Operators, or ability to manage msDS-GroupManagedServiceAccount objects, is the minimum required to complete this procedure. 使用群組成員資格與帳號適當的詳細資訊,會看到本機和網域預設的群組。For detailed information about using the appropriate accounts and group memberships, see Local and Domain Default Groups.

若要使用 [設定-ADServiceAccount cmdlet 成員主機中移除To remove member hosts using the Set-ADServiceAccount cmdlet
  1. Windows Server 2012 網域控制站,從工作列上執行 Windows PowerShell。On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. Windows PowerShell Active Directory 模組的命令提示字元中,輸入下列命令,,然後按 ENTER 鍵:At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    取得-ADServiceAccount [-名稱] -PrincipalsAllowedToRetrieveManagedPasswordGet-ADServiceAccount [-Name] -PrincipalsAllowedToRetrieveManagedPassword

  3. Windows PowerShell Active Directory 模組的命令提示字元中,輸入下列命令,,然後按 ENTER 鍵:At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    設定-ADServiceAccount [-名稱] -PrincipalsAllowedToRetrieveManagedPassword < ADPrincipal [>Set-ADServiceAccount [-Name] -PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>

參數Parameter 字串String 範例Example
名稱Name Account 名稱Name the account ITFarm1ITFarm1
PrincipalsAllowedToRetrieveManagedPasswordPrincipalsAllowedToRetrieveManagedPassword 電腦帳戶成員主機或安全小組的成員主機的成員The computer accounts of the member hosts or the security group that the member hosts are a member of Host1 Host3Host1, Host3

範例Example

例如,移除成員主機輸入下列命令,,然後按 ENTER 鍵。For example, to remove member hosts type the following commands, and then press ENTER.

Get-ADServiceAccount [-Name] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword
Set-ADServiceAccount [-Name] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1 Host3

步驟 2: 移除系統管理服務 Account 群組Step 2: Removing a group Managed Service Account from the system

從主機上的系統上使用解除安裝-ADServiceAccount 或 NetRemoveServiceAccount API 成員主機中移除的快取的 gMSA 認證。Remove the cached gMSA credentials from the member host using Uninstall-ADServiceAccount or the NetRemoveServiceAccount API on the host system.

資格在系統管理員,或相當於,才能完成這些程序最小值。Membership in Administrators, or equivalent, is the minimum required to complete these procedures.

若要移除使用解除安裝-ADServiceAccount cmdlet gMSATo remove a gMSA using the Uninstall-ADServiceAccount cmdlet
  1. Windows Server 2012 網域控制站,從工作列上執行 Windows PowerShell。On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. Windows PowerShell Active Directory 模組的命令提示字元中,輸入下列命令,,然後按 ENTER 鍵:At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    解除安裝 ADServiceAccount < ADServiceAccount >Uninstall-ADServiceAccount < ADServiceAccount>

    範例Example

    例如移除 gMSA 的快取的認證命名的 ITFarm1 輸入下列命令,,然後按 ENTER 鍵:For example, to remove the cached credentials for a gMSA named ITFarm1 type the following command, and then press ENTER:

    Uninstall-ADServiceAccount ITFarm1
    

如需有關解除安裝-ADServiceAccount cmdlet,在 Active Directory 模組的 Windows PowerShell 命令提示字元中,輸入取得-協助解除安裝-ADServiceAccount,然後按下 ENTER,或在 TechNet 網站上看到資訊ADServiceAccount 解除安裝的For more information about the Uninstall-ADServiceAccount cmdlet, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Uninstall-ADServiceAccount, and then press ENTER, or see the information on the TechNet web at Uninstall-ADServiceAccount.

也了See also