Last updated on December 6th, 2016 at 01:12 pm
When removing SharePoint managed accounts, there is a right way and a wrong way …
The Right Way
- Use Central Admin GUI or “Remove-SPManagedAccount -Identity domain\user” PowerShell cmdlet to delete the managed account
- Delete the account from Active Directory
The Wrong Way
- Delete the account from Active Directory before removing the managed account from SharePoint
If the account is removed from Active Directory before being removed from SharePoint, administrative functions that rely on enumerating/manipulating the managed accounts will fail. For example, when clicking on “Configure service accounts” the following error would be displayed: Some or all identity references could not be translated.
To resolve the issue, the deleted Active Directory account must first be recovered using the LDP tool. Creating a new account with the same name will not work as the SharePoint managed account is tied to the unique security ID of the deleted Active Directory account. The following article explains manually recovering items in Active Directory using LDP: http://www.petri.co.il/manually-undeleting-objects-windows-active-directory-ad.htm. Once the account has been restored, it can then be removed from SharePoint, and then removed from Active Directory.