Remove-DbaSpn

Synopsis

Removes Service Principal Names from Active Directory service accounts and cleans up related Kerberos delegation

Description

Connects to Active Directory to remove specified SPNs from SQL Server service accounts and automatically cleans up associated Kerberos delegation settings. This is essential when decommissioning SQL Server instances, changing service accounts, or troubleshooting Kerberos authentication issues where duplicate or incorrect SPNs exist. The function searches for the service account (user or computer), removes the SPN from the servicePrincipalName property, and also removes any corresponding delegation entries from msDS-AllowedToDelegateTo to maintain a clean AD environment.

Requires write access to Active Directory through the provided credentials.

Syntax

Remove-DbaSpn
    [-SPN] <String>
    [-ServiceAccount] <String>
    [[-Credential] <PSCredential>]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Remove-DbaSpn -SPN MSSQLSvc\SQLSERVERA.domain.something -ServiceAccount domain\account

Connects to Active Directory and removes a provided SPN from the given account (and also the relative delegation)

Example: 2

PS C:\> Remove-DbaSpn -SPN MSSQLSvc\SQLSERVERA.domain.something -ServiceAccount domain\account -EnableException

Connects to Active Directory and removes a provided SPN from the given account, suppressing all error messages and throw exceptions that can be caught instead

Example: 3

PS C:\> Remove-DbaSpn -SPN MSSQLSvc\SQLSERVERA.domain.something -ServiceAccount domain\account -Credential ad\sqldba

Connects to Active Directory and removes a provided SPN to the given account. Uses alternative account to connect to AD.

Example: 4

PS C:\> Test-DbaSpn -ComputerName sql2005 | Where-Object { $_.isSet -eq $true } | Remove-DbaSpn -WhatIf

Shows what would happen trying to remove all set SPNs for sql2005 and the relative delegations

Example: 5

PS C:\> Test-DbaSpn -ComputerName sql2005 | Where-Object { $_.isSet -eq $true } | Remove-DbaSpn

Removes all set SPNs for sql2005 and the relative delegations

Required Parameters

-SPN

Specifies the exact Service Principal Name to remove from Active Directory. Must include the full SPN format like ‘MSSQLSvc/servername:port’ or ‘MSSQLSvc/servername.domain.com’.
Use this when decommissioning SQL instances, changing service accounts, or cleaning up duplicate SPNs that cause Kerberos authentication failures.

-ServiceAccount

Specifies the Active Directory account (user or computer) that currently owns the SPN to be removed. Use domain\username format for user accounts or COMPUTERNAME$ for computer accounts.
This should match the account currently running the SQL Server service that you’re decommissioning or reconfiguring.

Optional Parameters

-Credential

The credential you want to use to connect to Active Directory to make the changes

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.

-WhatIf

Shows what would happen if the command was executed

-Confirm

Turns confirmations before changes on or off