PowerShell Logo Small

New-ADServiceAccount



This is the built-in help made by Microsoft for the command 'New-ADServiceAccount', in PowerShell version 3 - as retrieved from Windows version 'Microsoft Windows Server 2012 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates a new Active Directory managed service account or group managed service account object.

SYNTAX


New-ADServiceAccount [-Name] <String> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AuthType <ADAuthType>]
[-Certificates <String[]>] [-CompoundIdentitySupported <Boolean>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>]
[-Enabled <Boolean>] [-HomePage <String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType <ADKerberosEncryptionType>]
[-ManagedPasswordIntervalInDays <Int32>] [-OtherAttributes <Hashtable>] [-PassThru [<SwitchParameter>]] [-Path <String>]
[-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>] [-SamAccountName
<String>] [-Server <String>] [-ServicePrincipalNames <String[]>] [-TrustedForDelegation <Boolean>] -DNSHostName <String> [-Confirm
[<SwitchParameter>]] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]
New-ADServiceAccount [-Name] <String> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AccountPassword <SecureString>]
[-AuthType <ADAuthType>] [-Certificates <String[]>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] [-Enabled
<Boolean>] [-HomePage <String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType <ADKerberosEncryptionType>] [-OtherAttributes
<Hashtable>] [-PassThru [<SwitchParameter>]] [-Path <String>] [-SamAccountName <String>] [-Server <String>] [-ServicePrincipalNames
<String[]>] [-TrustedForDelegation <Boolean>] -RestrictToSingleComputer [<SwitchParameter>] [-Confirm [<SwitchParameter>]] [-WhatIf
[<SwitchParameter>]] [<CommonParameters>]
New-ADServiceAccount [-Name] <String> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AuthType <ADAuthType>]
[-Certificates <String[]>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] [-Enabled <Boolean>] [-HomePage
<String>] [-Instance <ADServiceAccount>] [-KerberosEncryptionType <ADKerberosEncryptionType>] [-OtherAttributes <Hashtable>] [-PassThru
[<SwitchParameter>]] [-Path <String>] [-SamAccountName <String>] [-Server <String>] [-ServicePrincipalNames <String[]>] [-TrustedForDelegation
<Boolean>] -RestrictToOutboundAuthenticationOnly [<SwitchParameter>] [-Confirm [<SwitchParameter>]] [-WhatIf [<SwitchParameter>]]
[<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-ADServiceAccount cmdlet creates a new Active Directory managed service account (MSA). By default a group MSA is created. To create a
standalone MSA which is linked to a specific computer, the -Standalone parameter is used. To create a group MSA which can only be used in
client roles, the -Agent parameter is used. This creates a group MSA which can be used for outbound connections only and attempts to connect
to services using this account will fail since the account does not have enough information for authentication to be successful. You can set
commonly used MSA property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by
using the OtherAttributes parameter.


The Path parameter specifies the container or organizational unit (OU) for the new MSA object. When you do not specify the Path parameter, the
cmdlet creates an object in the default Managed Service Accounts container for MSA objects in the domain.


The following methods explain different ways to create an object by using this cmdlet.


Method 1: Use the New-ADServiceAccount cmdlet, specify the required parameters, and set any additional property values by using the cmdlet
parameters.


Method 2: Use a template to create the new object. To do this, create a new MSA object or retrieve a copy of an existing MSA object and set
the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can
override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter
description for this cmdlet.


Method 3: Use the Import-CSV cmdlet with the New-ADServiceAccount cmdlet to create multiple Active Directory MSA objects. To do this, use the
Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass
these objects through the pipeline to the New-ADServiceAccount cmdlet to create the MSA objects.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkID=219329
Get-ADServiceAccount
Install-ADServiceAccount
Remove-ADServiceAccount
Set-ADServiceAccount
Uninstall-ADServiceAccount

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

C:\PS>New-ADServiceAccount service1 -DNSHostName service1.contoso.com -Enabled $true



Description

-----------

Create a new enabled managed service account in AD DS.




-------------------------- EXAMPLE 2 --------------------------

C:\PS>New-ADServiceAccount service1 -ServicePrincipalNames "MSSQLSVC/Machine3.corp.contoso.com" -DNSHostName service1.contoso.com



Description

-----------

Create a new managed service account and register its service principal name.




-------------------------- EXAMPLE 3 --------------------------

C:\PS>New-ADServiceAccount service1 -RestrictToSingleComputer



Description

-----------

Create a new managed service account and restrict its use to only a single computer.




-------------------------- EXAMPLE 4 --------------------------

C:\PS>New-ADServiceAccount service1 -RestrictToOutboundAuthenticationOnly



Description

-----------

Create a new managed service account and restrict its use to only outbound authentication.