New-ADServiceAccount

Creates a new Active Directory managed service account or group managed service account object.

Syntax

New-ADServiceAccount
   [-WhatIf]
   [-Confirm]
   [-AccountExpirationDate <DateTime>]
   [-AccountNotDelegated <Boolean>]
   [-AuthenticationPolicy <ADAuthenticationPolicy>]
   [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>]
   [-AuthType <ADAuthType>]
   [-Certificates <String[]>]
   [-CompoundIdentitySupported <Boolean>]
   [-Credential <PSCredential>]
   [-Description <String>]
   [-DisplayName <String>]
   -DNSHostName <String>
   [-Enabled <Boolean>]
   [-HomePage <String>]
   [-Instance <ADServiceAccount>]
   [-KerberosEncryptionType <ADKerberosEncryptionType>]
   [-ManagedPasswordIntervalInDays <Int32>]
   [-Name] <String>
   [-OtherAttributes <Hashtable>]
   [-PassThru]
   [-Path <String>]
   [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]
   [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>]
   [-SamAccountName <String>]
   [-Server <String>]
   [-ServicePrincipalNames <String[]>]
   [-TrustedForDelegation <Boolean>]
   [<CommonParameters>]
New-ADServiceAccount
   [-WhatIf]
   [-Confirm]
   [-AccountExpirationDate <DateTime>]
   [-AccountNotDelegated <Boolean>]
   [-AccountPassword <SecureString>]
   [-AuthenticationPolicy <ADAuthenticationPolicy>]
   [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>]
   [-AuthType <ADAuthType>]
   [-Certificates <String[]>]
   [-Credential <PSCredential>]
   [-Description <String>]
   [-DisplayName <String>]
   [-Enabled <Boolean>]
   [-HomePage <String>]
   [-Instance <ADServiceAccount>]
   [-KerberosEncryptionType <ADKerberosEncryptionType>]
   [-Name] <String>
   [-OtherAttributes <Hashtable>]
   [-PassThru]
   [-Path <String>]
   [-RestrictToSingleComputer]
   [-SamAccountName <String>]
   [-Server <String>]
   [-ServicePrincipalNames <String[]>]
   [-TrustedForDelegation <Boolean>]
   [<CommonParameters>]
New-ADServiceAccount
   [-WhatIf]
   [-Confirm]
   [-AccountExpirationDate <DateTime>]
   [-AccountNotDelegated <Boolean>]
   [-AuthenticationPolicy <ADAuthenticationPolicy>]
   [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>]
   [-AuthType <ADAuthType>]
   [-Certificates <String[]>]
   [-Credential <PSCredential>]
   [-Description <String>]
   [-DisplayName <String>]
   [-Enabled <Boolean>]
   [-HomePage <String>]
   [-Instance <ADServiceAccount>]
   [-KerberosEncryptionType <ADKerberosEncryptionType>]
   [-Name] <String>
   [-OtherAttributes <Hashtable>]
   [-PassThru]
   [-Path <String>]
   [-RestrictToOutboundAuthenticationOnly]
   [-SamAccountName <String>]
   [-Server <String>]
   [-ServicePrincipalNames <String[]>]
   [-TrustedForDelegation <Boolean>]
   [<CommonParameters>]

Description

The New-ADServiceAccount cmdlet creates a new Active Directory managed service account. By default, the cmdlet creates a group managed service account. To create a standalone managed service account which is linked to a specific computer, use the RestrictToSingleComputer parameter. To create a group managed service account which can only be used in client roles, use the RestrictToOutboundAuthenticationOnly parameter. This creates a group managed service account that can be used for outbound connections only and any attempts to connect to services using this account will fail because the account does not have enough information for authentication. You can set commonly used managed service account property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter.

The Path parameter specifies the container or organizational unit (OU) for the new managed service account object. When you do not specify the Path parameter, the cmdlet creates an object in the default managed service accounts container for managed service account objects in the domain.

The following methods explain different ways to create an object by using this cmdlet.

  • Method 1: Use the New-ADServiceAccount cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.

  • Method 2: Use a template to create the new object. To do this, create a new managed service account object or retrieve a copy of an existing managed service account object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet.

  • Method 3: Use the Import-Csv cmdlet with the New-ADServiceAccount cmdlet to create multiple Active Directory managed service account objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. For more information, type Get-Help Import-CSV. Then pass these objects through the pipeline to the New-ADServiceAccount cmdlet to create the managed service account objects.

Examples

Example 1: Create an enabled managed service account

PS C:\> New-ADServiceAccount -Name "Service01" -DNSHostName "Service01.contoso.com" -Enabled $True

This command creates an enabled managed service account in Active Directory Domain Services (AD DS).

Example 2: Create a managed service account and register its service principal name

PS C:\> New-ADServiceAccount -Name "Service01" -ServicePrincipalNames "MSSQLSVC/Machine3.corp.contoso.com" -DNSHostName "Service01.contoso.com"

This command creates a managed service account and registers its service principal name.

Example 3: Create a managed service account for a single computer

PS C:\> New-ADServiceAccount -Name "Service01" -RestrictToSingleComputer

This command creates a managed service account and restricts its use to a single computer.

Example 4: Create a managed service account for outbound authentication only

PS C:\> New-ADServiceAccount -Name "Service01" -RestrictToOutboundAuthenticationOnly

This command creates a managed service account and restricts its use to outbound authentication.

Example 5: Create a new managed service account and register multiple service principal names

PS C:\> New-ADServiceAccount service1 -ServicePrincipalNames "HTTP/Machine3.corp.contoso.com,HTTP/Machine3.corp.contoso.com/contoso" -DNSHostName service1.contoso.com

Parameters

-AccountExpirationDate

Specifies the expiration date for an account. This parameter sets the AccountExpirationDate property of an account object. The LDAP display name (ldapDisplayName) for this property is accountExpires.

Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date.

Type:DateTime
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-AccountNotDelegated

Indicates whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-AccountPassword

Specifies a new password value for the service account. This value is stored as an encrypted string.

The following conditions apply based on the manner in which the password parameter is used:

  • $Null password is specified. Random password is set and the account is enabled unless it is requested to be disabled.
  • No password is specified. Random password is set and the account is enabled unless it is requested to be disabled.
  • User password is specified. Password is set and the account is enabled unless it is requested to be disabled, unless the password you provided does not meet password policy or was not set for other reasons, at which point the account is disabled.

The new ADServiceAccount object will always either be disabled or have a user-requested or randomly-generated password. There is no way to create an enabled service account object with a password that violates domain password policy, such as an empty password.

Type:SecureString
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-AuthenticationPolicy

Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats:

  • Distinguished name
  • GUID
  • Name

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error.

Type:ADAuthenticationPolicy
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-AuthenticationPolicySilo

Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats:

  • Distinguished name
  • GUID
  • Name

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error.

Type:ADAuthenticationPolicySilo
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-AuthType

Specifies the authentication method to use. The acceptable values for this parameter are:

  • Negotiate or 0
  • Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

Type:ADAuthType
Accepted values:Negotiate, Basic
Position:Named
Default value:Microsoft.ActiveDirectory.Management.AuthType.Negotiate
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Certificates

Specifies an array of certificates. The cmdlet modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is userCertificate.

To add values:

-Certificates @{Add=value1,value2,...}

To remove values:

-Certificates @{Remove=value3,value4,...}

To replace values:

-Certificates @{Replace=value1,value2,...}

To clear all values:

-Certificates $Null

You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values:

-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...}

The operators are applied in the following sequence:

  • Remove
  • Add
  • Replace
Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CompoundIdentitySupported

Indicates whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. The acceptable values for this parameter are:

  • $False or 0
  • $True or 1

Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Credential

Specifies the service account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type an administrative account name, such as Admin1 or Contoso\Admin1 or you can specify a PSCredential object. If you specify a service account name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object.

If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.

Type:PSCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Description

Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is description.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DisplayName

Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is displayName.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DNSHostName

Specifies the Domain Name System (DNS) host name.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Enabled

Indicates whether an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory UAC attribute.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-HomePage

Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is wWWHomePage.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Instance

Specifies an instance of a service account object to use as a template for a new service account object.

You can use an instance of an existing service account object as a template or you can construct a new service account object for template use. You can construct a new service account using the Windows PowerShell command line or by using a script.

Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set raises an error.

Type:ADServiceAccount
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-KerberosEncryptionType

Indicates whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. The acceptable values for this parameter are:

  • None
  • DES
  • RC4
  • AES128
  • AES256

None will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account.

DES is a weak encryption type that is not supported by default since Windows 7 and Windows Server 2008 R2.

Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting.

Type:ADKerberosEncryptionType
Accepted values:None, DES, RC4, AES128, AES256
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ManagedPasswordIntervalInDays

Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDS-ManagedPasswordInterval of the group managed service account object.

Type:Int32
Position:Named
Default value:30
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Name

Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is name.

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-OtherAttributes

Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAP Display Name (ldapDisplayName) defined for it in the Active Directory schema.

To specify a single value for an attribute:

-OtherAttributes @{'AttributeLDAPDisplayName'=value}

To specify multiple values for an attribute

-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}

You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes:

-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...}

Type:Hashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Path

Specifies the X.500 path of the organizational unit (OU) or container where the new object is created.

In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules are evaluated.

In AD DS environments, a default value for Path is set in the following cases:

  • If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.
  • If the cmdlet has a default path, this is used. For example: in New-ADUser, the Path parameter defaults to the Users container.
  • If none of the previous cases apply, the default value of Path is set to the default partition or naming context of the target domain.

In AD LDS environments, a default value for Path is set in the following cases:

  • If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.
  • If the cmdlet has a default path, this is used. For example: in New-ADUser, the Path parameter defaults to the Users container.
  • If the target AD LDS instance has a default naming context, the default value of Path is set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent object (nTDSDSA) for the AD LDS instance.
  • If none of the previous cases apply, the Path parameter does not take any default value.

Note: The Active Directory Provider cmdlets, such as New-Item, Remove-Item, Remove-ItemProperty, Rename-Item, and Set-ItemProperty, also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-PrincipalsAllowedToDelegateToAccount

Specifies the accounts that can act on the behalf of users to services running as this managed service account or group-managed service account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the object.

Type:ADPrincipal[]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-PrincipalsAllowedToRetrieveManagedPassword

Specifies the membership policy for systems that can use a group-managed service account. For a service to run under a group managed service account, the system must be in the membership policy of the account. This parameter sets the msDS-GroupMSAMembership attribute of a group-managed service account object. This parameter should be set to the principals allowed to use this group-managed service account.

Type:ADPrincipal[]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-RestrictToOutboundAuthenticationOnly

Indicates that the cmdlet creates a group-managed service account that on success can be used by a service for successful outbound authentication requests only. This allows creating a group managed service account without the parameters required for successful inbound authentication.

Type:SwitchParameter
Accepted values:true
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-RestrictToSingleComputer

Indicates that the cmdlet creates a managed service account that can be used only for a single computer. Managed service accounts that are linked to a single computer account were introduced in Windows Server 2008 R2.

Type:SwitchParameter
Accepted values:true
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-SamAccountName

Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 15 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is sAMAccountName.

Note: If the specified SAMAccountName string does not end with a $ (dollar sign), one is appended if necessary.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Server

Specifies the Active Directory Domain Services (AD DS) instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services (AD LDS), AD DS, or Active Directory snapshot instance.

Domain name values:

  • Fully qualified domain name (FQDN)
  • NetBIOS name

Directory server values:

  • Fully qualified directory server name
  • NetBIOS name
  • Fully qualified directory server name and port

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:

  • By using Server value from objects passed through the pipeline.
  • By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
  • By using the domain of the computer running PowerShell.
Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ServicePrincipalNames

Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values.

To add values:

-ServicePrincipalNames @{Add=value1,value2,...}

To remove values:

-ServicePrincipalNames @{Remove=value3,value4,...}

To replace values:

-ServicePrincipalNames @{Replace=value1,value2,...}

To clear all values:

-ServicePrincipalNames $Null

You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names.

@{Add=value1,value2,...};@{Remove=value3,value4,...}

The operators are applied in the following sequence:

  • Remove
  • Add
  • Replace
Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-TrustedForDelegation

Indicates whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. The acceptable values for this parameter are:

  • $False or 0
  • $True or 1
Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None or Microsoft.ActiveDirectory.Management.ADServiceAccount

A managed service account object that is a template for the new managed service account object is received by the Instance parameter.

Outputs

None or Microsoft.ActiveDirectory.Management.ADServiceAccount

Returns the new managed service account object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.

Notes

  • This cmdlet does not work with AD LDS.
  • This cmdlet does not work with an Active Directory snapshot.
  • This cmdlet does not work with a read-only domain controller.
  • This cmdlet requires that you create a Microsoft Group Key Distribution Service (GKDS) root key first to begin using group managed service accounts in your Active Directory deployment. For more information on how to create the GKDS root key using Windows PowerShell, see Create the Key Distribution Services KDS Root Key.