New Active Directory Documents for IT Pros Create Managed Service Accounts with PowerShell. Do not create managed service accounts with Active Directory Users and Computers. - Active Directory Documentation Team - Site Home - TechNet Blogs

Active Directory Documentation Team

Information for IT Professionals who work with Active Directory. All blog posts are provided "AS IS" with no warranties, and confer no rights.

Create Managed Service Accounts with PowerShell. Do not create managed service accounts with Active Directory Users and Computers.

Create Managed Service Accounts with PowerShell. Do not create managed service accounts with Active Directory Users and Computers.

  • Comments 3
  • Likes

Although some versions of Active Directory Users and Computers (dsa.msc) may expose a schema option to add Managed Service Accounts (msDS-ManagedServiceAccount). You should not use this option. This option is exposed because it is a schema option, but should not be used because several required properties will not be attached to managed service accounts created in this manner. Instead, you should use PowerShell to create managed service accounts.

image

Example 1

The following example demonstrates how to create a service account, SQL-SRV1, in the container Managed Service Accounts in the Fabrikam.com domain:

New-ADServiceAccount -Name SQL-SRV1 -Path "CN=Managed Service Accounts,DC=FABRIKAM,DC=COM"

Example 2

The following example demonstrates how to create a service account, SQL-SRV1, in the container Managed Service Accounts in the Fabrikam.com domain:

New-ADServiceAccount SQL-SRV1 -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true -Path "CN=Managed Service Accounts,DC=FABRIKAM,DC=COM" -ServicePrincipalNames "MSSQLSVC/FABRIKAM-SRV1.FABRIKAM.COM:1456"

Examples from http://technet.microsoft.com/en-us/library/dd391964.aspx

This posting is provided "AS IS" with no warranties, and confers no rights.

Comments
  • Nice post easy but not enough, if you're using dc role on a windows core server.

    Before using New-AdServiceAccount you need to run the following powershell commands:

    DISM /online /enable-feature /featurename=ActiveDirectory-PowerShell

    Import-Module ActiveDirectory

    If don't do this you'll receive an error and you will spend hours on the web to find what to do...

    Hope it helps!

  • Don't you think this is pretty poor that we HAVE to use Powershell and can't create an MSA any other way? We can't do it via the AD Users & Computers GUI and we can't even do it from .NET or ADSI scripts, because when you do that the sAMAccountType property is set to a user type rather than a computer type and you can't change it because it is owned by the system. It seems that Powershell gets around this by using the AD Web Services, which are not documented anywhere near well enough to allow anyone outside of Microsoft to use them for this purpose. Why not just fix AD so that it creates these type of objects with the correct attribute values in the first place instead of working around it by calling a web service that has system permissions so can bend the rules that are applied to everyone else. Very annoying.

  • Alberto, thanks for the tip. If you are using Windows PowerShell 3.0, you no longer need to import the module. Running any cmdlet that requires the module will automatically initiate the import.

    Chris, thanks for the feedback. It has been shared with the responsible feature teams within the Active Directory product group.

    Thanks,

    Justin [Active Directory Documentation Team]

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment