PowerShell Logo Small

New-ADServiceAccount



This is the built-in help made by Microsoft for the command 'New-ADServiceAccount', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates a new Active Directory managed service account or group managed service account object.

SYNTAX


New-ADServiceAccount [-Name] <String> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AuthenticationPolicy <ADAuthenticationPolicy>]
[-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType {Negotiate | Basic}] [-Certificates <String[]>] [-CompoundIdentitySupported <Boolean>] [-Credential
<PSCredential>] [-Description <String>] [-DisplayName <String>] [-Enabled <Boolean>] [-HomePage <String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType {None | DES
| RC4 | AES128 | AES256}] [-ManagedPasswordIntervalInDays <Int32>] [-OtherAttributes <Hashtable>] [-PassThru] [-Path <String>] [-PrincipalsAllowedToDelegateToAccount
<ADPrincipal[]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>] [-SamAccountName <String>] [-Server <String>] [-ServicePrincipalNames <String[]>]
[-TrustedForDelegation <Boolean>] -DNSHostName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
New-ADServiceAccount [-Name] <String> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AccountPassword <SecureString>] [-AuthenticationPolicy
<ADAuthenticationPolicy>] [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType {Negotiate | Basic}] [-Certificates <String[]>] [-Credential <PSCredential>]
[-Description <String>] [-DisplayName <String>] [-Enabled <Boolean>] [-HomePage <String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType {None | DES | RC4 | AES128
| AES256}] [-OtherAttributes <Hashtable>] [-PassThru] [-Path <String>] [-SamAccountName <String>] [-Server <String>] [-ServicePrincipalNames <String[]>]
[-TrustedForDelegation <Boolean>] -RestrictToSingleComputer [-Confirm] [-WhatIf] [<CommonParameters>]
New-ADServiceAccount [-Name] <String> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AuthenticationPolicy <ADAuthenticationPolicy>]
[-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType {Negotiate | Basic}] [-Certificates <String[]>] [-Credential <PSCredential>] [-Description <String>]
[-DisplayName <String>] [-Enabled <Boolean>] [-HomePage <String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType {None | DES | RC4 | AES128 | AES256}]
[-OtherAttributes <Hashtable>] [-PassThru] [-Path <String>] [-SamAccountName <String>] [-Server <String>] [-ServicePrincipalNames <String[]>] [-TrustedForDelegation
<Boolean>] -RestrictToOutboundAuthenticationOnly [-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-ADServiceAccount cmdlet creates a new Active Directory managed service account (MSA). By default, the cmdlet creates a group MSA. To create a standalone MSA which is
linked to a specific computer, use the -RestrictToSingleComputer parameter. To create a group MSA which can only be used in client roles, use the
-RestrictToOutboundAuthenticationOnly parameter. This creates a group MSA which can be used for outbound connections only and any attempts to connect to services using this
account will fail since the account does not have enough information for authentication to be successful. You can set commonly used MSA property values by using the cmdlet
parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter.


The Path parameter specifies the container or organizational unit (OU) for the new MSA object. When you do not specify the Path parameter, the cmdlet creates an object in
the default Managed Service Accounts container for MSA objects in the domain.


The following methods explain different ways to create an object by using this cmdlet.


Method 1: Use the New-ADServiceAccount cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.


Method 2: Use a template to create the new object. To do this, create a new MSA object or retrieve a copy of an existing MSA object and set the Instance parameter to this
object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet
parameters. For examples and more information, see the Instance parameter description for this cmdlet.


Method 3: Use the Import-CSV cmdlet with the New-ADServiceAccount cmdlet to create multiple Active Directory MSA objects. To do this, use the Import-CSV cmdlet to create the
custom objects from a comma-separated value (CSV) file that contains a list of object properties. For more information, type Get-Help Import-CSV. Then pass these objects
through the pipeline to the New-ADServiceAccount cmdlet to create the MSA objects.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/p/?linkid=291076
Get-ADServiceAccount
Install-ADServiceAccount
Remove-ADServiceAccount
Set-ADServiceAccount
Uninstall-ADServiceAccount

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

PS C:\> New-ADServiceAccount -Name "service01" -DNSHostName "service01.contoso.com" -Enabled $true



This command creates a new enabled managed service account in AD DS.




-------------------------- EXAMPLE 2 --------------------------

PS C:\> New-ADServiceAccount -Name "service01" -ServicePrincipalNames "MSSQLSVC/Machine3.corp.contoso.com" -DNSHostName "service01.contoso.com"



This command creates a new managed service account and register its service principal name.




-------------------------- EXAMPLE 3 --------------------------

PS C:\> New-ADServiceAccount -Name "service01" -RestrictToSingleComputer



This command creates a new managed service account and restrict its use to only a single computer.




-------------------------- EXAMPLE 4 --------------------------

PS C:\>New-ADServiceAccount -Name "service01" -RestrictToOutboundAuthenticationOnly



This command creates a new managed service account and restrict its use to only outbound authentication.