Install-ADServiceAccount

Windows Server 2012 R2 and Windows 8.1

Actualizado: julio de 2015

Se aplica a: Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2

Install-ADServiceAccount

Installs an Active Directory managed service account on a computer or caches a group managed service account on a computer.

Sintaxis

Parameter Set: Identity
Install-ADServiceAccount [-Identity] <ADGroup> [-AccountPassword <SecureString> ] [-AuthType <ADAuthType> {Negotiate | Basic} ] [-Force] [-PromptForPassword] [-Confirm] [-WhatIf] [ <CommonParameters>]




Descripción detallada

The Install-ADServiceAccount cmdlet installs an existing Active Directory managed service account on the computer on which the cmdlet is run. This cmdlet verifies that the computer is eligible to host the managed service account. The cmdlet also makes the required changes locally so that the managed service account password can be managed without requiring any user action.

The Identity parameter specifies the Active Directory managed service account to install. You can identify a managed service account by its distinguished name, GUID, security identifier (SID), or security accounts manager (SAM) account name. You can also set the parameter to a managed service account object variable, such as $<localServiceaccountObject> or pass a managed service account object through the pipeline to the Identity parameter. For example, you can use Get-ADServiceAccount to get a managed service account object and then pass the object through the pipeline to the Install-ADServiceAccount.

The AccountPassword parameter allows you to pass a secure string that contains the password of a standalone managed service account and is ignored for group managed service accounts. Alternatively, you can use PromptForPassword parameter to prompt for the standalone managed service account password. You must enter the password of a standalone managed service account if you want to install an account that you have provisioned. This is required when you are installing a standalone managed service account on a server located on a segmented network (site) with read-only domain controllers (for example, a perimeter network or DMZ). In this case you should create the standalone managed service account, link it with the appropriate computer account, and assign a well-known password that must be passed when installing the standalone managed service account on the server on the read-only domain controller site. If you pass both AccountPassword and PromptForPassword parameters, the AccountPassword parameter takes precedence.

Parámetros

-AccountPassword<SecureString>

Specifies the account password as a secure string. This parameter enables you to specify the password of a standalone managed service account that you have provisioned and is ignored for group managed service accounts. This is required when you are installing a standalone managed service account on a server located on a segmented network (site) with read-only domain controllers (for example, a perimeter network or DMZ). In this case you should create the standalone managed service account, link it with the appropriate computer account, and assign a well-known password that must be passed when installing the standalone managed service account on the server on the read-only domain controller site with no access to writable domain controllers. If you pass both AccountPassword and PromptForPassword parameters, the AccountPassword parameter takes precedence.


Alias

ninguno

¿Requerido?

false

¿Posición?

named

Valor predeterminado

ninguno

¿Aceptar canalización?

false

¿Aceptar caracteres comodín?

false

-AuthType<ADAuthType>

Specifies the authentication method to use. Possible values for this parameter include: Los valores aceptables para este parámetro son los siguientes:

-- Negotiate or 0
-- Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.


Alias

ninguno

¿Requerido?

false

¿Posición?

named

Valor predeterminado

Microsoft.ActiveDirectory.Management.AuthType.Negotiate

¿Aceptar canalización?

false

¿Aceptar caracteres comodín?

false

-Force

Forces installation of the service account.


Alias

ninguno

¿Requerido?

false

¿Posición?

named

Valor predeterminado

ninguno

¿Aceptar canalización?

false

¿Aceptar caracteres comodín?

false

-Identity<ADGroup>

Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute. Los valores aceptables para este parámetro son los siguientes:

-- A distinguished name
-- A GUID (objectGUID)
-- A security identifier (objectSid)
-- A security accounts manager account name (sAMAccountName)

The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.


Alias

ninguno

¿Requerido?

true

¿Posición?

1

Valor predeterminado

ninguno

¿Aceptar canalización?

True (ByValue)

¿Aceptar caracteres comodín?

false

-PromptForPassword

Indicates that you can enter the password of a standalone managed service account that you have pre-provisioned and ignored for group managed service accounts. This is required when you are installing a standalone managed service account on a server located on a segmented network (site) with no access to writable domain controllers, but only read-only domain controllers (RODCs) (e.g. perimeter network or DMZ). In this case you should create the standalone managed service account, link it with the appropriate computer account, and assign a well-known password that must be passed when installing the standalone managed service account on the server on the RODC-only site. If you pass both AccountPassword and PromptForPassword parameters the AccountPassword parameter takes precedence.


Alias

ninguno

¿Requerido?

false

¿Posición?

named

Valor predeterminado

ninguno

¿Aceptar canalización?

false

¿Aceptar caracteres comodín?

false

-Confirm

Solicita confirmación antes de ejecutar el cmdlet.


¿Requerido?

false

¿Posición?

named

Valor predeterminado

falso

¿Aceptar canalización?

false

¿Aceptar caracteres comodín?

false

-WhatIf

Muestra lo que sucedería si se ejecutara el cmdlet. El cmdlet no se ejecuta.


¿Requerido?

false

¿Posición?

named

Valor predeterminado

falso

¿Aceptar canalización?

false

¿Aceptar caracteres comodín?

false

<CommonParameters>

Este cmdlet admite los siguientes parámetros comunes: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer y -OutVariable. Para obtener más información, consulte about_CommonParameters (http://go.microsoft.com/fwlink/p/?LinkID=113216).

Entradas

El tipo de entrada es el tipo de los objetos que se pueden canalizar al cmdlet.

  • Microsoft.ActiveDirectory.Management.ADServiceAccount

    A managed service account object is received by the Identity parameter.


Salidas

El tipo de resultado es el tipo de objetos que emite el cmdlet.

  • None

Notas

  • This cmdlet does not work with Active Directory Lightweight Directory Services (AD LDS).

  • This cmdlet does not work with an Active Directory snapshot.

  • This cmdlet does not work with a read-only domain controller.

  • To successfully install a managed service account, the service account should have the PrincipalsAllowedToRetrieveManagedPassword parameter option set first by using either the New-ADServiceAccount or Set-ADServiceAccount cmdlet first. Otherwise, installation will fail.

Ejemplos

Example 1: Install a managed service account on the local computer

This command installs a managed service account with name SQL-HR-svc-01 on the local computer. If a group managed service account is used, the service account must have the PrincipalsAllowedToRetrieveManagedPassword property set.


PS C:\> Install-ADServiceAccount -Identity 'SQL-HR-svc-01'

Example 2: Get a managed service account and install it on the local computer

This command gets a managed service account with name SQL-HR-svc-01 from the default directory and installs it on the local computer. If a group managed service account is used, the service account must have the PrincipalsAllowedToRetrieveManagedPassword property set.


PS C:\> $Account = Get-ADServiceAccount -Filter { Name -eq 'SQL-HR-svc-01'}
PS C:\> Install-ADServiceAccount $Account

Example 3: Install a standalone managed service account for a read-only domain controller site

This command installs a standalone managed service account identified as SQL-HR-svc-01 in a read-only domain controller site. If a group managed service account is used, the service account must have the PrincipalsAllowedToRetrieveManagedPassword property set.


PS C:\> Install-ADServiceAccount -Identity 'SQL-HR-svc-01' -PromptForPassword

Example 4: Install a standalone managed service account with the specified password

This command installs a standalone managed service account with the name SQL-HR-svc-01 in a read-only domain controller site, and passes the account password as a secure string. If a group managed service account is used, the service account must have the PrincipalsAllowedToRetrieveManagedPassword property set.


PS C:\> Install-ADServiceAccount -Identity 'SQL-HR-svc-01' -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) 

Temas relacionados

Adiciones de comunidad

AGREGAR
Mostrar: