Embedded Files
ADUC
ADUC
Active Directory Users and Computers
Managed Service Account vs User Account
Managed Service Account vs User Account
"Managed Service Accounts" (MSA) were introduced in Windows Server 2008 R2 and Windows 7 and provide all the benefits of using a domain user account but also:
Passwords are managed and reset automatically.
The service principal name (SPN) doesn’t need to be managed.
When using a managed service account:
A user account can be used on only one computer (you must create at least one account per computer).
"Group Managed Service Accounts" (gMSA) are similar but can be applied to a group of computers.
IMPORTANT NOTE for SQL Server:
MSA can only be used on SQL2012 or abovegMSA can only be used on SQL2014 or aboveFor SQL2008 your Service Accounts for the SQL Server Database Engine and SQL Server Agent will need to be regular AD user accounts (or local accounts, not recommended).Password
Password
Use one of the following methods...
NOTE: If you get "System error 5 has occurred" then you don't have the domain privileges to do this.net user /domain myuser mynewpass
To be prompted for password (more secure)...
net user /domain myuser *
From a Powershell window you can make use of the environment...
net user /domain $env:UserName *
Change Password (Powershell)
Change Password (Powershell)
Set-AdAccountPassword -Identity $env:UserName -OldPassword (Read-Host -asSecureString "Current") -NewPassword (Read-Host -asSecureString "New")
This script can be used from Powershell when you are unable to RDP to a server in the target domain...
Run with...
psadpassreset -DomainController myDomainController
It will prompt for UserName, OldPassword and NewPassword.If you are already logged into the domain you can omit the DomainController and it will default to your current one.Check
Check
net user myuser /domain
From a Powershell window you can make use of the environment...
net user /domain $env:UserName
Show Users (Powershell)
Show Users (Powershell)
Get-ADUser -Filter *
Get-ADUser -Identity My.User
Get-ADUser -Identity $env:UserName
To see all available queryable columns...
Get-ADUser -Identity $env:UserName | Get-Member
To see information about other users by SamAccountName...
$Item = @("SamAccountName","UserPrincipalName")
Get-ADUser -Identity SamAccountName | Format-Table $Item -auto
Show Managed Service Accounts (Powershell)
Show Managed Service Accounts (Powershell)
Get-ADServiceAccount -Filter *
Get-AdServiceAccount -Identity SQL01_SVC
Create
Create
Create User (Powershell)
Create User (Powershell)
$Attributes = @{
Enabled = $true
ChangePasswordAtLogon = $true
UserPrincipalName = "my.user@mydomain.local"
Name = "My.User"
GivenName = "My"
Surname = "User"
DisplayName = "My User"
Description = "This is the account for My User"
AccountPassword = "InitialPassword!!!" | ConvertTo-SecureString -AsPlainText -Force
}
New-ADUser @Attributes
For a full list of potential attributes see: https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-aduserAn example for a SQL2008 SQL Service account...
New-ADUser -Name "SQL01_SVC" -Enabled $True -AccountPassword (ConvertTo-SecureString -AsPlainText "InitialPassword!!!" -Force)
Create Managed Service Account
Create Managed Service Account
New-ADServiceAccount -Name "SQL01_SVC" -DNSHostName "SQL01.mydomain.local" -Enabled $True
For a full list of potential attributes see: https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccountIMPORTANT: If this is the first time you are creating a Managed Service Account in your Domain then you need to perform one time creation of the Key Distribution Services KDS Root Key...This should be run on the Domain Controller...
For Test environments with only one Domain you can fool the system like this...
Add-KdsRootKey -EffectiveImmediately
Note that it can take up to 10 hours for the Root Key to become usable. Factor this time into your plan for production environments.For Test environments with only one Domain you can fool the system like this...
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
Delete
Delete
Delete User (Powershell)
Delete User (Powershell)
Remove-ADUser -Identity My.User
Delete Managed Service Accounts (Powershell)
Delete Managed Service Accounts (Powershell)
Remove-ADServiceAccount -Identity SQL01_SVC
Bibliography
Bibliography
https://www.pdq.com/blog/add-users-to-ad-with-powershell/https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-aduserhttps://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccounthttps://docs.microsoft.com/en-us/powershell/module/addsadministration/get-aduserhttps://docs.microsoft.com/en-us/powershell/module/addsadministration/remove-aduserhttps://docs.microsoft.com/en-us/powershell/module/addsadministration/add-adgroupmember?view=win10-pshttps://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adgrouphttps://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
https://docs.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/deployment/setup-deploy-on-premises-pu12#known-issueshttps://social.technet.microsoft.com/Forums/windows/en-US/82617035-254f-4078-baa2-7b46abb9bb71/newadserviceaccount-key-does-not-existhttps://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-keyhttps://docs.microsoft.com/en-us/powershell/module/kds/add-kdsrootkeyhttps://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009https://stackoverflow.com/questions/58877021/windows-function-netuserchangepassword-is-no-longer-working-under-windows-10#58911226
Change AD Passwordhttps://ss64.com/ps/set-adaccountpassword.htmlhttps://gist.github.com/wim-beck/c402e54b47ab852701be800af6206073https://gist.github.com/jstangroome/3087453https://blog.techinline.com/2018/12/20/how-to-change-windows-password-using-command-line-or-powershell/
ADUChttps://blog.netwrix.com/2017/01/30/active-directory-users-and-computers-aduc/
MSAhttps://syfuhs.net/how-managed-service-accounts-in-active-directory-workhttps://servergeeks.wordpress.com/2012/10/29/service-account-in-ad/
MSA/SQLhttps://www.mssqltips.com/sqlservertip/5340/using-group-managed-service-accounts-with-sql-server/https://www.mssqltips.com/sqlservertip/5334/using-managed-service-accounts-with-sql-server/
https://docs.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/deployment/setup-deploy-on-premises-pu12#known-issueshttps://social.technet.microsoft.com/Forums/windows/en-US/82617035-254f-4078-baa2-7b46abb9bb71/newadserviceaccount-key-does-not-existhttps://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-keyhttps://docs.microsoft.com/en-us/powershell/module/kds/add-kdsrootkeyhttps://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009https://stackoverflow.com/questions/58877021/windows-function-netuserchangepassword-is-no-longer-working-under-windows-10#58911226
Change AD Passwordhttps://ss64.com/ps/set-adaccountpassword.htmlhttps://gist.github.com/wim-beck/c402e54b47ab852701be800af6206073https://gist.github.com/jstangroome/3087453https://blog.techinline.com/2018/12/20/how-to-change-windows-password-using-command-line-or-powershell/
ADUChttps://blog.netwrix.com/2017/01/30/active-directory-users-and-computers-aduc/
MSAhttps://syfuhs.net/how-managed-service-accounts-in-active-directory-workhttps://servergeeks.wordpress.com/2012/10/29/service-account-in-ad/
MSA/SQLhttps://www.mssqltips.com/sqlservertip/5340/using-group-managed-service-accounts-with-sql-server/https://www.mssqltips.com/sqlservertip/5334/using-managed-service-accounts-with-sql-server/
Page updated
Google Sites
Report abuse