Synopsis
Description
The Path parameter specifies the container or organizational unit (OU) for the new MSA object. When you do not specify the Path parameter, the cmdlet creates an object in the default Managed Service Accounts container for MSA objects in the domain.
Method 1: Use the New-ADServiceAccount cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.
Method 2: Use a template to create the new object. To do this, create a new MSA object or retrieve a copy of an existing MSA object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet.
Method 3: Use the Import-CSV cmdlet with the New-ADServiceAccount cmdlet to create multiple Active Directory MSA objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADServiceAccount cmdlet to create the MSA objects.
Parameters
-AccountExpirationDate
Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AccountNotDelegated <Boolean>
Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AccountPassword <SecureString>
Specifies a new password value for the service account. This value is stored as an encrypted string.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AuthenticationPolicy <ADAuthenticationPolicy>
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AuthenticationPolicySilo <ADAuthenticationPolicySilo>
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AuthType <ADAuthType>
Specifies the authentication method to use. Possible values for this parameter include:
Required? false
Position? named
Default value Microsoft.ActiveDirectory.Management.AuthType.Negotiate
Accept pipeline input? false
Accept wildcard characters? false
-Certificates <String[]>
Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate".
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-CompoundIdentitySupported <Boolean>
Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are:
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Credential <PSCredential>
Specifies the service account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-DNSHostName <String>
Specifies the Domain Name System (DNS) host name.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Description <String>
Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DisplayName <String>
Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName".
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Enabled <Boolean>
Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include:
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-HomePage <String>
Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage".
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Instance <ADServiceAccount>
Specifies an instance of a service account object to use as a template for a new service account object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-KerberosEncryptionType <ADKerberosEncryptionType>
Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are:
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ManagedPasswordIntervalInDays <Int32>
Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDS-ManagedPasswordInterval of the group managed service account object.
Required? false
Position? named
Default value 30
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Name <String>
Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name".
Required? true
Position? 2
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-OtherAttributes <Hashtable>
Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PassThru <SwitchParameter>
Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>
Specifies the accounts which can act on the behalf of users to services running as this Managed Service Account or Group Managed Service Account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the object.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>
Specifies the membership policy for systems which can use a group managed service account. For a service to run under a group managed service account, the system must be in the membership policy of the account. This parameter sets the msDS-GroupMSAMembership attribute of a group managed service account object. This parameter should be set to the principals allowed to use this group managed service account.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RestrictToOutboundAuthenticationOnly <SwitchParameter>
Switch which is used to create a group managed service account which on success can be used by a service for successful outbound authentication requests only. This allows creating a group managed service account without the parameters required for successful inbound authentication.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-RestrictToSingleComputer <SwitchParameter>
Switch which is used to create a managed service account that can be used only for a single computer. These managed service accounts which are linked to a single computer account were introduced in Windows Server 2008 R2.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-SamAccountName <String>
Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName".
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Server <String>
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ServicePrincipalNames <String[]>
Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values.
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-TrustedForDelegation <Boolean>
Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are:
Required? false
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm <SwitchParameter>
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf <SwitchParameter>
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
Syntax
New-ADServiceAccount [-WhatIf] [-Confirm] [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AuthenticationPolicy <ADAuthenticationPolicy>] [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType <ADAuthType>] [-Certificates <String[]>] [-CompoundIdentitySupported <Boolean>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] -DNSHostName <String> [-Enabled <Boolean>] [-HomePage <String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType <ADKerberosEncryptionType>] [-ManagedPasswordIntervalInDays <Int32>] [-Name] <String> [-OtherAttributes <Hashtable>] [-PassThru] [-Path <String>] [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>] [-SamAccountName <String>] [-Server <String>] [-ServicePrincipalNames <String[]>] [-TrustedForDelegation <Boolean>] [<CommonParameters>]
New-ADServiceAccount [-WhatIf] [-Confirm] [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AccountPassword <SecureString>] [-AuthenticationPolicy <ADAuthenticationPolicy>] [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType <ADAuthType>] [-Certificates <String[]>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] [-Enabled <Boolean>] [-HomePage <String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType <ADKerberosEncryptionType>] [-Name] <String> [-OtherAttributes <Hashtable>] [-PassThru] [-Path <String>] [-RestrictToSingleComputer] [-SamAccountName <String>] [-Server <String>] [-ServicePrincipalNames <String[]>] [-TrustedForDelegation <Boolean>] [<CommonParameters>]
New-ADServiceAccount [-WhatIf] [-Confirm] [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AuthenticationPolicy <ADAuthenticationPolicy>] [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType <ADAuthType>] [-Certificates <String[]>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] [-Enabled <Boolean>] [-HomePage <String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType <ADKerberosEncryptionType>] [-Name] <String> [-OtherAttributes <Hashtable>] [-PassThru] [-Path <String>] [-RestrictToOutboundAuthenticationOnly] [-SamAccountName <String>] [-Server <String>] [-ServicePrincipalNames <String[]>] [-TrustedForDelegation <Boolean>] [<CommonParameters>]
This cmdlet does not work with AD LDS.
C:\PS>New-ADServiceAccount service1 -DNSHostName SRV.TOSSolution.com -Enabled $true
Create a new enabled managed service account in AD DS.
C:\PS>New-ADServiceAccount SRV -ServicePrincipalNames “MSSQLSVC/MC3.Delhi.TOSSolution.com” -DNSHostName SRV.TOSSolution.com
Create a new managed service account and register its service principal name.
C:\PS>New-ADServiceAccount SRV -RestrictToSingleComputer
Create a new managed service account and restrict its use to only a single computer.
C:\PS>New-ADServiceAccount SRV -RestrictToOutboundAuthenticationOnly
Create a new managed service account and restrict its use to only outbound authentication.
Get-Command New-ADServiceAccount
. Get-ADServiceAccount
. Install-ADServiceAccount
. Remove-ADServiceAccount
. Set-ADServiceAccount
. Uninstall-ADServiceAccount