AD Users/Groups

"Managed Service Accounts" (MSA) were introduced in Windows Server 2008 R2 and Windows 7 and provide all the benefits of using a domain user account but also:

Passwords are managed and reset automatically.
The service principal name (SPN) doesn’t need to be managed.

When using a managed service account:

A user account can be used on only one computer (you must create at least one account per computer).

"Group Managed Service Accounts" (gMSA) are similar but can be applied to a group of computers.

IMPORTANT NOTE for SQL Server:

MSA can only be used on SQL2012 or abovegMSA can only be used on SQL2014 or aboveFor SQL2008 your Service Accounts for the SQL Server Database Engine and SQL Server Agent will need to be regular AD user accounts (or local accounts, not recommended).

Password

Windows Users

Use one of the following methods...

NOTE: If you get "System error 5 has occurred" then you don't have the domain privileges to do this.

net user /domain myuser mynewpass

To be prompted for password (more secure)...

net user /domain myuser *

From a Powershell window you can make use of the environment...

net user /domain $env:UserName *

Change Password (Powershell)

Set-AdAccountPassword -Identity $env:UserName -OldPassword (Read-Host -asSecureString "Current") -NewPassword (Read-Host -asSecureString "New")

Powershell AD

This script can be used from Powershell when you are unable to RDP to a server in the target domain...

Run with...

Set-PasswordRemotely -DomainController myDomainController

It will prompt for UserName, OldPassword and NewPassword.If you are already logged into the domain you can omit the DomainController and it will default to your current one.

function Set-PasswordRemotely { [CmdletBinding(DefaultParameterSetName = 'Secure')] param( [Parameter(ParameterSetName = 'Secure', Mandatory)][string] $UserName, [Parameter(ParameterSetName = 'Secure', Mandatory)][securestring] $OldPassword, [Parameter(ParameterSetName = 'Secure', Mandatory)][securestring] $NewPassword, [Parameter(ParameterSetName = 'Secure')][alias('DC', 'Server', 'ComputerName')][string] $DomainController ) Begin { $DllImport = @'[DllImport("netapi32.dll", CharSet = CharSet.Unicode)]public static extern bool NetUserChangePassword(string domain, string username, string oldpassword, string newpassword);'@ $NetApi32 = Add-Type -MemberDefinition $DllImport -Name 'NetApi32' -Namespace 'Win32' -PassThru if (-not $DomainController) { if ($env:computername -eq $env:userdomain) { # not joined to domain, lets prompt for DC $DomainController = Read-Host -Prompt 'Domain Controller DNS name or IP Address' } else { $Domain = $Env:USERDNSDOMAIN $Context = [System.DirectoryServices.ActiveDirectory.DirectoryContext]::new([System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $Domain) $DomainController = ([System.DirectoryServices.ActiveDirectory.DomainController]::FindOne($Context)).Name } } } Process { if ($DomainController -and $OldPassword -and $NewPassword -and $UserName) { $OldPasswordPlain = [System.Net.NetworkCredential]::new([string]::Empty, $OldPassword).Password $NewPasswordPlain = [System.Net.NetworkCredential]::new([string]::Empty, $NewPassword).Password $result = $NetApi32::NetUserChangePassword($DomainController, $UserName, $OldPasswordPlain, $NewPasswordPlain) if ($result) { Write-Host -Object "Set-PasswordRemotely - Password change for account $UserName failed on $DomainController. Please try again." -ForegroundColor Red } else { Write-Host -Object "Set-PasswordRemotely - Password change for account $UserName succeeded on $DomainController." -ForegroundColor Cyan } } else { Write-Warning "Set-PasswordRemotely - Password change for account failed. All parameters are required. " } }}

Check

Windows Users

net user myuser /domain

From a Powershell window you can make use of the environment...

net user /domain $env:UserName

Show Users (Powershell)

Get-ADUser -Filter *

Get-ADUser -Identity My.User

Get-ADUser -Identity $env:UserName

To see all available queryable columns...

Get-ADUser -Identity $env:UserName | Get-Member

To see information about other users by SamAccountName...

$Item = @("SamAccountName","UserPrincipalName")

Get-ADUser -Identity SamAccountName | Format-Table $Item -auto

Powershell AD

Show Managed Service Accounts (Powershell)

Get-ADServiceAccount -Filter *

Get-AdServiceAccount -Identity SQL01_SVC

Create

Powershell AD

Create User (Powershell)

$Attributes = @{

Enabled = $true

ChangePasswordAtLogon = $true

UserPrincipalName = "my.user@mydomain.local"

Name = "My.User"

GivenName = "My"

Surname = "User"

DisplayName = "My User"

Description = "This is the account for My User"

AccountPassword = "InitialPassword!!!" | ConvertTo-SecureString -AsPlainText -Force

}

New-ADUser @Attributes

For a full list of potential attributes see: https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-aduser

An example for a SQL2008 SQL Service account...

New-ADUser -Name "SQL01_SVC" -Enabled $True -AccountPassword (ConvertTo-SecureString -AsPlainText "InitialPassword!!!" -Force)

Create Managed Service Account

New-ADServiceAccount -Name "SQL01_SVC" -DNSHostName "SQL01.mydomain.local" -Enabled $True

For a full list of potential attributes see: https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount

IMPORTANT: If this is the first time you are creating a Managed Service Account in your Domain then you need to perform one time creation of the Key Distribution Services KDS Root Key...This should be run on the Domain Controller...

Add-KdsRootKey -EffectiveImmediately

Note that it can take up to 10 hours for the Root Key to become usable. Factor this time into your plan for production environments.
For Test environments with only one Domain you can fool the system like this...

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

Delete

Powershell AD

Delete User (Powershell)

Remove-ADUser -Identity My.User

Delete Managed Service Accounts (Powershell)

Remove-ADServiceAccount -Identity SQL01_SVC

Bibliography