Create a new Active Directory service account.

      New-ADServiceAccount [-Name] string [-AccountExpirationDate DateTime]
         [-AccountNotDelegated bool] [-AccountPassword SecureString]
            [-AuthType {Negotiate | Basic}] [-Certificates string[]]
               [-Credential PSCredential] [-Description string] [-DisplayName string]
                  [-Enabled bool] [-HomePage string] [-Instance ADServiceAccount]
                     [-OtherAttributes hashtable] [-PassThru] [-Path string]
                        [-SamAccountName string] [-Server string] 
                           [-ServicePrincipalNames string[]] [-TrustedForDelegation bool]
                              [-Confirm] [-WhatIf] [CommonParameters]

   -AccountExpirationDate [System.DateTime]
       The expiry date for the account. (0=never expires)        
       Use PowerShell DateTime syntax
       Time is assumed to be local time unless otherwise specified.
       The default time is 12:00 (Midday) local time.
       The default date is the current date.
       Examples using GMT, UTC and local time:
        -AccountExpirationDate "Mon, 17 Apr 2011 21:22:48 GMT"
        -AccountExpirationDate "2011-04-17T14:22:48.0000000" 
        -AccountExpirationDate "04/17/2011 2:22:48 PM"
       The LDAP provider name (ldapDisplayName) for this property is accountExpires.

   -AccountNotDelegated bool
       Security delegation. When True, the security context of the user is not
       delegated to a service even when the service account is set as trusted for
       Kerberos delegation. Sets the AccountNotDelegated property for an AD account.
       This parameter also sets the ADS_UF_NOT_DELEGATED flag of the AD User Account
       Control (UAC) attribute.
       Values for this parameter: $false or 0, $true or 1

   -AccountPassword SecureString
       A new password value for an account.
       This value is stored as an encrypted string.

       If a $null or no password is specified, a Random password will be set and
       the account will be enabled (unless it is requested to be disabled)

       If a password is specified, the Password will be set and the account enabled 
       (unless it is requested to be disabled, the password does not meet password policy or
       was not set for other reasons, at which point the account will be disabled.

Managed Service accounts, normally and by default will be created with a 240-character random password.
If a password is manually provided, an attempt will be made to set that password however, this can fail due to password policy restrictions.
(If this happens use Set-ADAccountPassword to reset the password.)
In order to ensure that accounts remain secure, service accounts will never be enabled unless a valid password is set (either a randomly-generated or user-provided one) or PasswordNotRequired is set to true.

The new ADServiceAccount object will always either be disabled or have a user-requested or randomly-generated password.
There is no way to create an enabled service account object with a password that violates domain password policy, such as an empty password.
If the password fails for any reason the account will be created but disabled.

       Example, this command will prompt for a password:
          -AccountPassword (Read-Host -AsSecureString "AccountPassword")

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Certificates X509Certificate[]
       Modifies the DER-encoded X.509v3 certificates of the account.
       These certificates include the public key certificates issued to
       this account by the Microsoft Certificate Service. 
       Sets the Certificates property of the account object.
       The LDAP provider Name for this property is "userCertificate".

       Syntax to add/remove/replace/clear:
         -Certificates @{Add=value1,value2,...}
         -Certificates @{Remove=value3,value4,...}
         -Certificates @{Replace=value1,value2,...}
         -Certificates $null

       Multiple operations may be specified by using a list separated by semicolons.
         -Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...}

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "MSAccount64" or "Domain01\MSAccount64" or a PSCredential object.

   -Description string
       A description of the object.
       The LDAP provider Name for this property is "description".

   -DisplayName string
       The display name of the object.
       The LDAP provider Name for this property is "displayName".

   -Enabled bool
       Is the account enabled.
       An enabled account requires a password.
       This parameter sets the Enabled property for an account object.
       Also sets the ADS_UF_ACCOUNTDISABLE flag of the AD User Account Control (UAC) attribute.
       Values for this parameter: $false or 0, $true or 1

   -HomePage string
       The URL of the home page of the object.
       The LDAP provider Name for this property is "wWWHomePage".

   -Identity ADAccount
       Specify an AD domain object by providing one of the following values.
       (The identifier in parentheses is the LDAP provider name for the attribute.)

          Distinguished Name 
            Example: DC=Helvetia,DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 9abd016a-31af-470a-af5a-be175343f9c3
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: Helvetia

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -Instance ADServiceAccount
       An instance of a service account object to use as a template for a new service account object.
       Method 1: Use an existing service account object as a template for a new object. Retrieve an
       instance of an existing computer object with Get-ADServiceAccount. Then provide this object
       to the -Instance parameter of New-ADServiceAccount to create a new user object.
       property values may also be overridden for the new object by setting the appropriate parameters. 

         $serviceaccountInstance = Get-ADServiceAccount -Identity 
         New-ADServiceAccount -Name "ServiceAdmin_2"  -Instance $serviceaccountInstance -Description "Service Account2"

       Method 2: Create a new ADServiceAccount object and pass this object to the -Instance parameter
       of the New-ADServiceAccount cmdlet to create the new AD service account object. 

          $serviceaccountInstance = new-object Microsoft.ActiveDirectory.Management.ADServiceAccount
          $serviceaccountInstance.Description = "Service Account 2"

   -Name string
       The name of the object. (Maximum 15 characters)
       The LDAP provider Name of this property is "name".

   -OtherAttributes hashtable
        Specifies object attribute values for attributes that are not represented by cmdlet parameters.
        To specify a single value:
           -OtherAttributes @{'AttributeLDAPName'=value}
        To specify multiple values
           -OtherAttributes @{'AttributeLDAPName'=value1,value2,...}

           -OtherAttributes @{'ItemPrice'=123; 'favColors'="red","blue"}

       Returns the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

   -Path string
       The X.500 path of the OU or container where the new object is created.         
       In many cases, a default value will be used for -Path.

          -Path "ou=test1,dc=demo,dc=ss64,dc=com"

       Note: PowerShell cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and 
       Set-ItemProperty also contain a -Path property. However, for the AD provider cmdlets, -Path 
       identifies the path of the actual object and not the container.

   -SamAccountName string
       The Security Account Manager (SAM) account name of the user, group, computer, or service account.
       The maximum length of the description is 256 characters.
       For compatibility with older operating systems use 20 characters or less.
       The LDAP provider Name of this property is "sAMAccountName".
       If the value provided is not terminated with a '$' character, the system will add one if needed.

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name or Fully qualified directory server name (with or without port number).

       Examples:  demo

   -ServicePrincipalNames string[]
       The service principal names for the account.
       Use the following syntax to add remove, replace or clear service principal name values:

          -ServicePrincipalNames @{Add=value1,value2,...}
          -ServicePrincipalNames @{Remove=value3,value4,...}
          -ServicePrincipalNames @{Replace=value1,value2,...}
          -ServicePrincipalNames $null

       Multiple operations may be specified by using a list separated by semicolons.
         -ServicePrincipalNames @{Add=value1,value2,...};@{Remove=value3,value4,...}

         -ServicePrincipalNames @{Add="SQLservice\"};{Remove="SQLservice\"}

   -TrustedForDelegation bool
       Whether an account is trusted for Kerberos delegation.
       A service that runs under an account that is trusted for Kerberos delegation can
       assume the identity of a client requesting the service. 
       This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the AD UAC attribute.
       Values for this parameter: $false or 0, $true or 1

       Prompt for confirmation before executing the command.

       Describe what would happen if you executed the command, without actually executing the command.

New-ADServiceAccount creates a new Managed Service Account (MSA).

MSA’s can run one (or more) services on one specific computer.

  1. Create the MSA in AD. (New-ADServiceAccount)
  2. Associate the MSA with a computer in AD. (Add-ADComputerServiceAccount )
  3. Install the MSA on the computer that was associated. (Install-ADServiceAccount)
  4. Configure the service(s) to use the MSA.

MSAs are applicable only to services running on Windows 7 or Window Server 2008 R2. Because of their dependency on the host computer account, they are restricted to an individual OS instance, making them unsuitable for applications operating on failover clusters or Network Load Balancing farms.

MSAs also require an AD schema that has been extended to at least Windows Server 2008 R2.

Set commonly used service account property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the -OtherAttributes parameter.

The -Path parameter specifies the container or organizational unit (OU) for the new service account object. If -Path is not specified, the cmdlet creates an object in the default container for service account objects in the domain.

Error Message: ‘Unknown error (0xc0000017)', this generally means the MSA name was over the 15 character limit.

All Managed Service Accounts are created (by default) in the CN=Managed Service Accounts, DC=domain, DC=com container. You can see this by configuring DSA.MSC to show “Advanced Features”.
However, all administration of MSA's is done through PowerShell.

There are 3 ways to create a new object with this cmdlet:

Specify the required parameters, and set any additional property values by using the cmdlet parameters.

Use a template to create the new object. Set the -Instance parameter to an object to be used as a template for the new object.

Use Import-CSV to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to New-ADServiceAccount to create the service account objects.


Create a new enabled service account in AD DS by only specifying the name of the new account:

PS C:\> New-ADServiceAccount MSA-sharepoint08 -Enabled $true

Create a new service account named MSA-sharepoint08 and register the service account's ServicePrincipalName:

PS C:\> New-ADServiceAccount MSA-sharepoint08 -ServicePrincipalNames "MSSQLSVC/"

“Identity would seem to be the garment with which one covers the nakedness of the self, in which case, it is best that the garment be loose, a little like the robes of the desert, through which one's nakedness can always be felt, and, sometimes, discerned” ~ James Arthur Baldwin

Related PowerShell Cmdlets

Get-adServiceAccount - Get one or more AD service accounts.
Install-adServiceAccount - Install an AD service account on a computer.
Remove-adServiceAccount - Remove an AD service account.
Add-adComputerServiceAccount - Add one or more service accounts to an AD computer.
ADprep - Extend the Active Directory schema (Enterprise Admin task).
Active Directory Management Gateway Service - Required to manage AD Domain Services with PowerShell. - Configure Standalone and Group Managed Service Accounts.

Copyright © 1999-2023
Some rights reserved