Remove or delete KDSRootKey (KDS Root Key)

When creating GMSA (group managed service account) for Docker it is easy to run scripts too many times leaving yourself with multiple KDSRootKeys – I’m not aware of a Powershell command to remove them, but this user interface based method works to delete the unwanted KDS Root Keys.

To view the kds keys

Use the Powershell command;

Get-KdsRootKey

This will list the keys as shown with the KeyId that will be required next.

If you accidentally created more than one key by running the scripts to create a GMSA user multiple times, then you may delete the keys you don’t need. The creation time will give you a clue as to the keys you don’t need.

To remove or delete the KDSRootKey

From the run command type

dssite.msc

This will launch the Active Directory Sites and Services, use the View menu to select “Show Services Node”.

From the displayed keys, they should match the previous key ids and by clicking on the key you wish to delete, it can be deleted by right click > Delete or the Action menu > Delete

It is possible to view the created date properties by right clicking each key and selecting properties, then selecting the object tab. However I prefer the PowerShell method as it presents a nicely formatted list in one hit, when there are many keys created this can be more efficient.