-
Notifications
You must be signed in to change notification settings - Fork 139
ADManagedServiceAccount
dscbot edited this page Aug 24, 2023
·
5 revisions
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| ServiceAccountName | Key | String | Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 15 characters or less. Once created, the user's SamAccountName cannot be changed. | |
| AccountType | Required | String | The type of managed service account. Standalone will create a Standalone Managed Service Account (sMSA) and Group will create a Group Managed Service Account (gMSA). |
Group, Standalone
|
| Credential | Write | PSCredential | Specifies the user account credentials to use to perform this task. This is only required if not executing the task on a domain controller or using the parameter DomainController. | |
| CommonName | Write | String | Specifies the common name assigned to the managed service account (ldapDisplayName 'cn'). If not specified the default value will be the same value provided in parameter ServiceAccountName. | |
| Description | Write | String | Specifies the description of the account (ldapDisplayName 'description'). | |
| DisplayName | Write | String | Specifies the display name of the account (ldapDisplayName 'displayName'). | |
| DomainController | Write | String | Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller. | |
| Ensure | Write | String | Specifies whether the user account is created or deleted. If not specified, this value defaults to Present. |
Present, Absent
|
| KerberosEncryptionType | Write | StringArray[] | Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. |
None, RC4, AES128, AES256
|
| ManagedPasswordPrincipals | Write | StringArray[] | Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'. | |
| MembershipAttribute | Write | String | Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName. |
SamAccountName, DistinguishedName, ObjectGUID, ObjectSid
|
| Path | Write | String | Specifies the X.500 path of the Organizational Unit (OU) or container where the new account is created. Specified as a Distinguished Name (DN). | |
| Enabled | Read | Boolean | Returns whether the user account is enabled or disabled. | |
| DistinguishedName | Read | String | Returns the Distinguished Name of the Service Account. |
The ADManagedServiceAccount DSC resource will manage Single and Group Managed Service Accounts (MSAs) within Active Directory. A Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate management to other administrators. A Single Managed Service Account can only be used on a single computer, whereas a Group Managed Service Account can be shared across multiple computers.
- Target machine must be running Windows Server 2008 R2 or later.
- Group Managed Service Accounts need at least one Windows Server 2012 Domain Controller.
This configuration will create a standalone managed service account in the default 'Managed Service Accounts' container.
Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADManagedServiceAccount 'ExampleStandaloneMSA'
{
Ensure = 'Present'
ServiceAccountName = 'Service01'
AccountType = 'Standalone'
}
}
}This configuration will create a group managed service account in the default 'Managed Service Accounts' container.
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccount_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADManagedServiceAccount 'ExampleGroupMSA'
{
Ensure = 'Present'
ServiceAccountName = 'Service01'
AccountType = 'Group'
}
}
}This configuration will create a group managed service account with members in the default 'Managed Service Accounts' container.
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountWithMembers_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADManagedServiceAccount 'AddingMembersUsingSamAccountName'
{
Ensure = 'Present'
ServiceAccountName = 'Service01'
AccountType = 'Group'
ManagedPasswordPrincipals = 'User01', 'Computer01$'
}
ADManagedServiceAccount 'AddingMembersUsingDN'
{
Ensure = 'Present'
ServiceAccountName = 'Service02'
AccountType = 'Group'
ManagedPasswordPrincipals = 'CN=User01,OU=Users,DC=contoso,DC=com', 'CN=Computer01,OU=Computers,DC=contoso,DC=com'
}
}
}This configuration will create a group managed service account in the specified path.
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountCustomPath_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
Node localhost
{
ADManagedServiceAccount 'ExampleGroupMSA'
{
Ensure = 'Present'
ServiceAccountName = 'Service01'
AccountType = 'Group'
Path = 'OU=ServiceAccounts,DC=contoso,DC=com'
}
}
}
}- ADComputer
- ADDomain
- ADDomainController
- ADDomainControllerProperties
- ADDomainDefaultPasswordPolicy
- ADDomainFunctionalLevel
- ADDomainTrust
- ADFineGrainedPasswordPolicy
- ADForestFunctionalLevel
- ADForestProperties
- ADGroup
- ADKDSKey
- ADManagedServiceAccount
- ADObjectEnabledState
- ADObjectPermissionEntry
- ADOptionalFeature
- ADOrganizationalUnit
- ADReplicationSite
- ADReplicationSiteLink
- ADReplicationSubnet
- ADServicePrincipalName
- ADUser
- Home
- WaitForADDomain