User Tools

Site Tools

AD Sync Uninstallation

Ideal Conditions

When uninstalling AD Sync from a domain controller, ideally the following conditions will be true.

  • The user object uninstalling AD Sync is the same as the user object that originally installed it.
  • User Account Control (UAC) is completely disabled on the domain controller.
  • Anti-virus software is disabled.

Sometimes, these conditions cannot be met. In these cases, there are available workarounds.


Uninstalling With UAC Enabled

User Account Countrol (UAC) is known to interfere with AD Sync installation and uninstallation. To work around this, follow these steps.

  1. Open an elevated Command Prompt window
  2. Run MsiExec.exe /X{02B5D46F-F805-4919-A9AB-E82CFA0CCFCF}
  3. You should now be able to uninstall AD Sync normally

Uninstalling As a Different User Object

First you will need to set your PowerShell execution policy to allow unsigned code to be executed. This should be changed back after uninstallation is complete.

  1. Open an elevated PowerShell window
  2. Run Get-ExecutionPolicy and note the current security level
  3. Run Set-ExecutionPolicy -ExecutionPolicy Unrestricted to allow unsigned code
  4. Download and execute the KeyTakeOwner.ps1 script below.
  5. If no errors were encountered, re-run Set-ExecutionPolicy with the security level previously noted in step two.
  6. You should now be able to uninstall AD Sync normally
$containerName = "AD Sync Service"
$provider = New-Object System.Security.Cryptography.MD5CryptoServiceProvider
$fileHash = $provider.ComputeHash($([char[]] ($containerName.ToLower() + "`0")))
$fileName = ""
for ($i = 0; $i -lt 16; $i += 4) {
	$fileName += "{0000:x}" -f [BitConverter]::ToUInt32($fileHash[($i)..($i + 3)], 0)
$filePath = Join-Path ([Environment]::GetFolderPath("CommonApplicationData")) "Microsoft\Crypto\RSA\MachineKeys"
$filePath = Join-Path $filePath $fileName
$filePath = $filePath + "_" + (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Cryptography").MachineGuid
if (Test-Path $filePath) {
	TAKEOWN /F "$filePath" 
	ICACLS "$filePath" /grant Administrators:f
	ICACLS "$filePath" /grant System:f
	Write-Host "Key Container '$containerName' updated"
} else {
	Write-Host "ERROR: Key Container '$containerName' not updated, file '$filePath' not found"