PowerShell Logo Small


This is the built-in help made by Microsoft for the command 'Set-ADServiceAccount', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.


Modifies an Active Directory managed service account or group managed service account object.


Set-ADServiceAccount [-Identity] <ADServiceAccount> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-Add <Hashtable>] [-AuthenticationPolicy
<ADAuthenticationPolicy>] [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType {Negotiate | Basic}] [-Certificates <String[]>] [-Clear <String[]>]
[-CompoundIdentitySupported <Boolean>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] [-DNSHostName <String>] [-Enabled <Boolean>] [-HomePage
<String>] [-KerberosEncryptionType {None | DES | RC4 | AES128 | AES256}] [-Partition <String>] [-PassThru] [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]
[-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>] [-Remove <Hashtable>] [-Replace <Hashtable>] [-SamAccountName <String>] [-Server <String>]
[-ServicePrincipalNames <Hashtable>] [-TrustedForDelegation <Boolean>] [-Confirm] [-WhatIf] [<CommonParameters>]
Set-ADServiceAccount [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-PassThru] [-Server <String>] -Instance <ADServiceAccount> [-Confirm] [-WhatIf]

Search powershellhelp.space


The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory managed service account (MSA). You can modify commonly used property values by using the
cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters.

The Identity parameter specifies the Active Directory MSA to modify. You can identify an MSA by its distinguished name (DN), GUID, security identifier (SID), or Security
Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localServiceAccountObject>, or you can pass an object through
the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a MSA object and then pass the object through the pipeline to
the Set-ADServiceAccount cmdlet.

The Instance parameter provides a way to update an MSA object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an
Active Directory MSA object that has been modified, the Set-ADServiceAccount cmdlet makes the same changes to the original MSA object. To get a copy of the object to modify,
use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more information about the Instance parameter,
see the Instance parameter description.

For more information about how the Instance concept is used in Active Directory cmdlets, type Get-Help about_ActiveDirectory_Instance.



Online Version: http://go.microsoft.com/fwlink/p/?linkid=291131




-------------------------- EXAMPLE 1 --------------------------

PS C:\>Set-ADServiceAccount -Identity service1 -Description "Secretive Data Server"

This command sets the description of Managed Service Account service1 to Secretive Data Server.

-------------------------- EXAMPLE 2 --------------------------

PS C:\>Set-ADServiceAccount -Identity Mongol01ADAM -ServicePrincipalNames @{replace="ADAMwdb/a.contoso.com", "ADAMbdb/a.contoso.com"}

This command replaces the value of property ServicePrincipalNames with ADAMwdb/a.contoso.com, ADAMbdb/a.contoso.com.

-------------------------- EXAMPLE 3 --------------------------

PS C:\>Set-ADServiceAccount -Identity service1 -PrincipalsAllowedToRetrieveManagedPassword "MsaAdmins.corp.contoso.com"

This command sets the principals allowed to retrieve the password for this managed service account to be limited to only members of the specified Active Directory group

-------------------------- EXAMPLE 4 --------------------------

PS C:\>Set-ADServiceAccount -Identity AccessTSQA -ServicePrincipalNames @{Add=ACCESSAPP/TSQA.contoso.com}

This command modifies the ServicePrincipalNames property for the AccessTSQA MSA by specifying the Identity and ServicePrincipalNames parameters.

-------------------------- EXAMPLE 5 --------------------------

PS C:\>Get-ADServiceAccount -Identity "AccessTSQA" | Set-ADServiceAccount -ServicePrincipalNames @{Add=ACCESSAPP/TSQA.contoso.com}

This command modifies the ServicePrincipalNames property for the AccessTSQA MSA. The command uses the Get-ADServiceAccount cmdlet to get the AccessTSQA MSA, and then passes
the AccessTSQA MSA to the current cmdlet by using the pipeline operator.

-------------------------- EXAMPLE 6 --------------------------

PS C:\>$ServiceAccount = Get-ADServiceAccount -Identity "AccessTSQA"
PS C:\> $ServiceAccount.ServicePrincipalNames = @{Add=ACCESSAPP/TSQA.contoso.com}
PS C:\> Set-ADServiceAccount -Instance $ServiceAccount

This example modifies the ServicePrincipalNames property for the AccessTSQA MSA. The example modifies a local instance of the AccessTSQA MSA, and then specifies the Instance
parameter for the current cmdlet as the local instance.