Export (0) Print
Expand All
Expand Minimize

New-ADServiceAccount

Windows Server 2012 and Windows 8

Applies To: Windows Server 2012

New-ADServiceAccount

Creates a new Active Directory managed service account or group managed service account object.

Syntax

Parameter Set: Group
New-ADServiceAccount [-Name] <String> -DNSHostName <String> [-AccountExpirationDate <DateTime> ] [-AccountNotDelegated <Boolean> ] [-AuthType <ADAuthType> ] [-Certificates <String[]> ] [-CompoundIdentitySupported <Boolean> ] [-Credential <PSCredential> ] [-Description <String> ] [-DisplayName <String> ] [-Enabled <Boolean> ] [-HomePage <String> ] [-Instance <ADServiceAccount> ] [-KerberosEncryptionType <ADKerberosEncryptionType> ] [-ManagedPasswordIntervalInDays <Int32> ] [-OtherAttributes <Hashtable> ] [-PassThru] [-Path <String> ] [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]> ] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]> ] [-SamAccountName <String> ] [-Server <String> ] [-ServicePrincipalNames <String[]> ] [-TrustedForDelegation <Boolean> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: RestrictedToOutboundAuthenticationOnly
New-ADServiceAccount [-Name] <String> -RestrictToOutboundAuthenticationOnly [-AccountExpirationDate <DateTime> ] [-AccountNotDelegated <Boolean> ] [-AuthType <ADAuthType> ] [-Certificates <String[]> ] [-Credential <PSCredential> ] [-Description <String> ] [-DisplayName <String> ] [-Enabled <Boolean> ] [-HomePage <String> ] [-Instance <ADServiceAccount> ] [-KerberosEncryptionType <ADKerberosEncryptionType> ] [-OtherAttributes <Hashtable> ] [-PassThru] [-Path <String> ] [-SamAccountName <String> ] [-Server <String> ] [-ServicePrincipalNames <String[]> ] [-TrustedForDelegation <Boolean> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: RestrictedToSingleComputer
New-ADServiceAccount [-Name] <String> -RestrictToSingleComputer [-AccountExpirationDate <DateTime> ] [-AccountNotDelegated <Boolean> ] [-AccountPassword <SecureString> ] [-AuthType <ADAuthType> ] [-Certificates <String[]> ] [-Credential <PSCredential> ] [-Description <String> ] [-DisplayName <String> ] [-Enabled <Boolean> ] [-HomePage <String> ] [-Instance <ADServiceAccount> ] [-KerberosEncryptionType <ADKerberosEncryptionType> ] [-OtherAttributes <Hashtable> ] [-PassThru] [-Path <String> ] [-SamAccountName <String> ] [-Server <String> ] [-ServicePrincipalNames <String[]> ] [-TrustedForDelegation <Boolean> ] [-Confirm] [-WhatIf] [ <CommonParameters>]




Detailed Description

The New-ADServiceAccount cmdlet creates a new Active Directory managed service account (MSA). By default a group MSA is created. To create a standalone MSA which is linked to a specific computer, the -Standalone parameter is used. To create a group MSA which can only be used in client roles, the -Agent parameter is used. This creates a group MSA which can be used for outbound connections only and attempts to connect to services using this account will fail since the account does not have enough information for authentication to be successful. You can set commonly used MSA property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter.

The Path parameter specifies the container or organizational unit (OU) for the new MSA object. When you do not specify the Path parameter, the cmdlet creates an object in the default Managed Service Accounts container for MSA objects in the domain.

The following methods explain different ways to create an object by using this cmdlet.

Method 1: Use the New-ADServiceAccount cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.

Method 2: Use a template to create the new object. To do this, create a new MSA object or retrieve a copy of an existing MSA object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet.

Method 3: Use the Import-CSV cmdlet with the New-ADServiceAccount cmdlet to create multiple Active Directory MSA objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADServiceAccount cmdlet to create the MSA objects.

Parameters

-AccountExpirationDate<DateTime>

Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires.

Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object.

"4/17/2006"

"Monday, April 17, 2006"

"2:22:45 PM"

"Monday, April 17, 2006 2:22:45 PM"

These examples specify the same date and the time without the seconds.

"4/17/2006 2:22 PM"

"Monday, April 17, 2006 2:22 PM"

"2:22 PM"

The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT).

"Mon, 17 Apr 2006 21:22:48 GMT"

The following example shows how to specify a round-trip value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC.

"2006-04-17T14:22:48.0000000"

The following example shows how to set this parameter to the date May 1, 2012 at 5 PM.

-AccountExpirationDate "05/01/2012 5:00:00 PM"


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-AccountNotDelegated<Boolean>

Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include

$false or 0

$true or 1

The following example shows how to set this parameter so that the security context of the account is not delegated to a service.

-AccountNotDelegated $true


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-AccountPassword<SecureString>

Specifies a new password value for the service account. This value is stored as an encrypted string.

The following conditions apply based on the manner in which the password parameter is used:

$null password is specified - Random password is set and the account is enabled unless it is requested to be disabled

No password is specified - Random password is set and the account is enabled unless it is requested to be disabled

User password is specified - Password is set and the account is enabled unless it is requested to be disabled, unless the password you provided does not meet password policy or was not set for other reasons, at which point the account is disabled

The new ADServiceAccount object will always either be disabled or have a user-requested or randomly-generated password. There is no way to create an enabled service account account object with a password that violates domain password policy, such as an empty password.

The following example shows how to set this parameter. This command will prompt you to enter the password.

-AccountPassword (Read-Host -AsSecureString "AccountPassword")


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-AuthType<ADAuthType>

Specifies the authentication method to use. Possible values for this parameter include:

Negotiate or 0

Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

The following example shows how to set this parameter to Basic.

-AuthType Basic


Aliases

none

Required?

false

Position?

named

Default Value

Microsoft.ActiveDirectory.Management.AuthType.Negotiate

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Certificates<String[]>

Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate".

Syntax:

To add values:

-Certificates @{Add=value1,value2,...}

To remove values:

-Certificates @{Remove=value3,value4,...}

To replace values:

-Certificates @{Replace=value1,value2,...}

To clear all values:

-Certificates $null

You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values

-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...}

The operators will be applied in the following sequence:

..Remove

..Add

..Replace

The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate.

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password>

Set-ADServiceAccount Service1 -Certificates @{Add=$cert}

The following example shows how to add a certificate that is specified as a byte array.

Set-ADServiceAccount Service1 -Certificates @{Add= [Byte[]](0xC5,0xEE,0x53,...)}


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-CompoundIdentitySupported<Boolean>

Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are:

$false or 0

$true or 1

The following example shows how to specify that an account supports compound identity.

-CompoundIdentitySupported $true

Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Credential<PSCredential>

Specifies the service account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type an administrative account name, such as "Admin1" or "Contoso\Admin1" or you can specify a PSCredential object. If you specify a service account name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then use it to specify the Credential parameter to the ADServiceAccount object.

The following example shows how to create credentials.

$AdminCredentials = Get-Credential "Contoso\Admin1"

The following shows how to use the PSCredential object to specify administrative credentials when creating a new ADServiceAccount object by using the Credential parameter.

New-ADServiceAccount -Credential $AdminCredentials

If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-DNSHostName<String>

Specifies the Domain Name System (DNS) host name.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Description<String>

Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".

The following example shows how to set this parameter to a sample description.

-Description "Description of the object"


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-DisplayName<String>

Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName".

The following example shows how to include this parameter when creating a new service account.

New-ADServiceAccount -DisplayName "Service Account for use with Contoso LOB Application"


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Enabled<Boolean>

Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include:

$false or 0

$true or 1

The following example shows how to set this parameter to enable the service account when creating it.

New-ADServiceAccount -Enabled $true


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-HomePage<String>

Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage".

The following example shows how to set this parameter to a URL when creating the service account.

New-ADServiceAccount -HomePage "http://accounts.contoso.com/Service1"


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Instance<ADServiceAccount>

Specifies an instance of a service account object to use as a template for a new service account object.

You can use an instance of an existing service account object as a template or you can construct a new service account object for template use. You can construct a new service account using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create service account object templates.

Method 1: Use an existing service account object as a template for a new object. To retrieve an instance of an existing service account object, use a cmdlet such as Get-ADServiceAccount. Then provide this object to the Instance parameter of the New-ADServiceAccount cmdlet to create a new service account object. You can override property values of the new object by setting the appropriate parameters.

$serviceAccountInstance = Get-ADServiceAccount -Identity

New-ADServiceAccount -Name "ServiceAdmin2" -Instance $serviceAccountInstance -Description "Service Account 2"

Method 2: Create a new ADServiceAccount object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADServiceAccount cmdlet to create the new Active Directory service account object.

$serviceAccountInstance = new-object Microsoft.ActiveDirectory.Management.ADServiceAccount

$serviceAccountInstance. Description "Service Account 2"

Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-KerberosEncryptionType<ADKerberosEncryptionType>

Specifies whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. Possible values for this parameter are:

None

DES

RC4

AES128

AES256

None, will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account.

DES is a weak encryption type which is not supported by default since Windows 7 and Windows Server 2008 R2.

The following example shows how to specify that an account supports service tickets with device authorization data.

-KerberosEncryptionTypes RC4,AES128,AES256

Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ManagedPasswordIntervalInDays<Int32>

Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDS-ManagedPasswordInterval of the group managed service account object.

The following example shows how to specify a 90 day password changes interval:

-ManagedPasswordIntervalInDays 90


Aliases

none

Required?

false

Position?

named

Default Value

30

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Name<String>

Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name".

The following example shows how to set this parameter to a name string.

-Name "Service1"


Aliases

none

Required?

true

Position?

2

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-OtherAttributes<Hashtable>

Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema.

Syntax:

To specify a single value for an attribute:

-OtherAttributes @{'AttributeLDAPDisplayName'=value}

To specify multiple values for an attribute

-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}

You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes:

-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...}

The following examples show how to use this parameter.

To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax:

-OtherAttributes @{'favColors'="pink","purple"}

To set values for favColors and dateOfBirth simultaneously, use the following syntax:

-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"}


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-PassThru

Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Path<String>

Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created.

In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.

In AD DS environments, a default value for Path will be set in the following cases:

- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.

- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.

- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain.

In AD LDS environments, a default value for Path will be set in the following cases:

- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.

- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.

- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.

- If none of the previous cases apply, the Path parameter will not take any default value.

The following example shows how to set this parameter to an OU.

-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com"

Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-PrincipalsAllowedToDelegateToAccount<ADPrincipal[]>

Specifies the accounts which can act on the behalf of users to services running as this Managed Service Account or Group Managed Service Account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the object.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-PrincipalsAllowedToRetrieveManagedPassword<ADPrincipal[]>

Specifies the membership policy for systems which can use a group managed service account. For a service to run under a group managed service account, the system must be in the membership policy of the account. This parameter sets the msDS-GroupMSAMembership attribute of a group managed service account object. This parameter should be set to the principals allowed to use this group managed service account.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-RestrictToOutboundAuthenticationOnly

Switch which is used to create a group managed service account which on success can be used by a service for successful outbound authentication requests only. This allows creating a group managed service account without the parameters required for successful inbound authentication.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-RestrictToSingleComputer

Switch which is used to create a managed service account that can be used only for a single computer. These managed service accounts which are linked to a single computer account were introduced in Windows Server 2008 R2.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SamAccountName<String>

Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName".

The following example shows how to specify this parameter.

-SAMAccountName "Service1"

Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Server<String>

Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.

Domain name values:

Fully qualified domain name (FQDN)

Examples: corp.contoso.com

NetBIOS name

Example: CORP

Directory server values:

Fully qualified directory server name

Example: corp-DC12.corp.contoso.com

NetBIOS name

Example: corp-DC12

Fully qualified directory server name and port

Example: corp-DC12.corp.contoso.com:3268

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:

-By using Server value from objects passed through the pipeline.

-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.

-By using the domain of the computer running Powershell.

The following example shows how to specify a full qualified domain name as the parameter value.

New-ADServiceAccount -Server "corp.contoso.com"

The following example shows how to specify a full qualified directory server name as the parameter value.

New-ADServiceAccount -Server "corp-DC12.corp.contoso.com"


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ServicePrincipalNames<String[]>

Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values.

Syntax:

To add values:

-ServicePrincipalNames @{Add=value1,value2,...}

To remove values:

-ServicePrincipalNames @{Remove=value3,value4,...}

To replace values:

-ServicePrincipalNames @{Replace=value1,value2,...}

To clear all values:

-ServicePrincipalNames $null

You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names.

@{Add=value1,value2,...};@{Remove=value3,value4,...}

The operators will be applied in the following sequence:

..Remove

..Add

..Replace

The following example shows how to add and remove service principal names.

-ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.contoso.com:1456"}


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-TrustedForDelegation<Boolean>

Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are:

$false or 0

$true or 1

The following example shows how to specify that an account is trusted for Kerberos delegation.

-TrustedForDelegation $true


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Confirm

Prompts you for confirmation before running the cmdlet.


Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.


Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see    about_CommonParameters.

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • None or Microsoft.ActiveDirectory.Management.ADServiceAccount

    A managed service account object that is a template for the new managed service account object is received by the Instance parameter.


Outputs

The output type is the type of the objects that the cmdlet emits.

  • None or Microsoft.ActiveDirectory.Management.ADServiceAccount

    Returns the new managed service account object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.


Notes

  • This cmdlet does not work with AD LDS.

    This cmdlet does not work with an Active Directory Snapshot.

    This cmdlet does not work with a read-only domain controller.

    This cmdlet requires that you create a Microsoft Key Distribution Service root key first to begin using group managed service accounts in your Active Directory deployment. For more information on how to create the KDS root key using Windows PowerShell, see Create the Key Distribution Services KDS Root Key (http://go.microsoft.com/fwlink/?LinkId=253584).

Examples

-------------------------- EXAMPLE 1 --------------------------

Description

-----------

Create a new enabled managed service account in AD DS.


C:\PS>New-ADServiceAccount service1 -DNSHostName service1.contoso.com -Enabled $true

-------------------------- EXAMPLE 2 --------------------------

Description

-----------

Create a new managed service account and register its service principal name.


C:\PS>New-ADServiceAccount service1 -ServicePrincipalNames "MSSQLSVC/Machine3.corp.contoso.com" -DNSHostName service1.contoso.com

-------------------------- EXAMPLE 3 --------------------------

Description

-----------

Create a new managed service account and restrict its use to only a single computer.


C:\PS>New-ADServiceAccount service1 -RestrictToSingleComputer

-------------------------- EXAMPLE 4 --------------------------

Description

-----------

Create a new managed service account and restrict its use to only outbound authentication.


C:\PS>New-ADServiceAccount service1 -RestrictToOutboundAuthenticationOnly

Related topics

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft