Install an Active Directory service account on a computer.

      Install-ADServiceAccount [-Identity] ADServiceAccount
         [-Force] [-AuthType {Negotiate | Basic}]
            [-Confirm] [-WhatIf] [CommonParameters]

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.


   -Identity ADServiceAccount
       An AD service account object, specified with one of the following values.
       (The identifier in parentheses is the LDAP provider name for the attribute.)

          Distinguished Name 
            Example: CN=WebAccount,CN=ManagedServiceAccounts, DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-3165297888-301567370-576410423-1103
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: WebAccount$

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

       This example shows how to set the parameter to a distinguished name.
          -Identity  "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=SS64,DC=com"

       This example shows how to set this parameter to a group object instance named "accountInstance".
          -Identity $accountInstance

       Prompt for confirmation before executing the command.

       Describe what would happen if you executed the command, without actually executing the command.

Install-ADServiceAccount installs an existing AD service account on the computer on which the cmdlet is run.

MSA’s can run one (or more) services on one specific computer.

  1. Create the MSA in AD. (New-ADServiceAccount)
  2. Associate the MSA with a computer in AD. (Add-ADComputerServiceAccount )
  3. Install the MSA on the computer that was associated. (Install-ADServiceAccount)
  4. Configure the service(s) to use the MSA.

Install-ADServiceAccount verifies that the computer is eligible to host the service account. The cmdlet also makes the required changes locally so that the service account password can be periodically reset by the computer without requiring any user action.

The -Identity parameter specifies the Active Directory service account to install. Identify a service account by its distinguished name Members (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a service account object variable, or pass a service account object through the pipeline. For example, from Get-ADServiceAccount.


Install a Service Account named 'svc64' on the local computer:

PS C:\> Install-ADServiceAccount -Identity 'svc64'

Get a Service Account named 'svc64' from the default directory and install it on the local machine.:

PS C:\> $acct = Get-ADServiceAccount -Filter { Name -eq 'svc64'}
PS C:\> Install-ADServiceAccount $acct

“If you want to know the end, look at the beginning” ~ African Proverb

Related PowerShell Cmdlets

Get-adServiceAccount - Get one or more AD service accounts.
New-adServiceAccount - Create a new AD service account.
Set-adServiceAccount - Modify an AD service account.
Uninstall-adServiceAccount - UnInstall an AD service account from a computer.
Active Directory Management Gateway Service - Required to manage AD Domain Services with PowerShell. - Configure Standalone and Group Managed Service Accounts.

Copyright © 1999-2023
Some rights reserved