New Active Directory Documents for IT Pros
Although some versions of Active Directory Users and Computers (dsa.msc) may expose a schema option to add Managed Service Accounts (msDS-ManagedServiceAccount). You should not use this option. This option is exposed because it is a schema option, but should not be used because several required properties will not be attached to managed service accounts created in this manner. Instead, you should use PowerShell to create managed service accounts.
The following example demonstrates how to create a service account, SQL-SRV1, in the container Managed Service Accounts in the Fabrikam.com domain:
New-ADServiceAccount -Name SQL-SRV1 -Path "CN=Managed Service Accounts,DC=FABRIKAM,DC=COM"
New-ADServiceAccount SQL-SRV1 -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true -Path "CN=Managed Service Accounts,DC=FABRIKAM,DC=COM" -ServicePrincipalNames "MSSQLSVC/FABRIKAM-SRV1.FABRIKAM.COM:1456"
Examples from http://technet.microsoft.com/en-us/library/dd391964.aspx
This posting is provided "AS IS" with no warranties, and confers no rights.
Nice post easy but not enough, if you're using dc role on a windows core server.
Before using New-AdServiceAccount you need to run the following powershell commands:
DISM /online /enable-feature /featurename=ActiveDirectory-PowerShell
If don't do this you'll receive an error and you will spend hours on the web to find what to do...
Hope it helps!
Don't you think this is pretty poor that we HAVE to use Powershell and can't create an MSA any other way? We can't do it via the AD Users & Computers GUI and we can't even do it from .NET or ADSI scripts, because when you do that the sAMAccountType property is set to a user type rather than a computer type and you can't change it because it is owned by the system. It seems that Powershell gets around this by using the AD Web Services, which are not documented anywhere near well enough to allow anyone outside of Microsoft to use them for this purpose. Why not just fix AD so that it creates these type of objects with the correct attribute values in the first place instead of working around it by calling a web service that has system permissions so can bend the rules that are applied to everyone else. Very annoying.
Alberto, thanks for the tip. If you are using Windows PowerShell 3.0, you no longer need to import the module. Running any cmdlet that requires the module will automatically initiate the import.
Chris, thanks for the feedback. It has been shared with the responsible feature teams within the Active Directory product group.
Justin [Active Directory Documentation Team]