AD Users/Groups

ADUC

Active Directory Users and Computers

Managed Service Account vs User Account

"Managed Service Accounts" (MSA) were introduced in Windows Server 2008 R2 and Windows 7 and provide all the benefits of using a domain user account but also:

When using a managed service account:

"Group Managed Service Accounts" (gMSA) are similar but can be applied to a group of computers.

IMPORTANT NOTE for SQL Server:

MSA can only be used on SQL2012 or abovegMSA can only be used on SQL2014 or aboveFor SQL2008 your Service Accounts for the SQL Server Database Engine and SQL Server Agent will need to be regular AD user accounts (or local accounts, not recommended).

Password

Use one of the following methods...

NOTE: If you get "System error 5 has occurred" then you don't have the domain privileges to do this.

net user /domain myuser mynewpass

To be prompted for password (more secure)...

net user /domain myuser *

From a Powershell window you can make use of the environment...

net user /domain $env:UserName *

Change Password (Powershell)

Set-AdAccountPassword -Identity $env:UserName -OldPassword (Read-Host -asSecureString "Current") -NewPassword (Read-Host -asSecureString "New")

This script can be used from Powershell when you are unable to RDP to a server in the target domain...

Run with...

psadpassreset -DomainController myDomainController

It will prompt for UserName, OldPassword and NewPassword.If you are already logged into the domain you can omit the DomainController and it will default to your current one.

Check

net user myuser /domain

From a Powershell window you can make use of the environment...

net user /domain $env:UserName

Show Users (Powershell)

Get-ADUser -Filter *

Get-ADUser -Identity My.User

Get-ADUser -Identity $env:UserName

To see all available queryable columns...

Get-ADUser -Identity $env:UserName | Get-Member

To see information about other users by SamAccountName...

$Item = @("SamAccountName","UserPrincipalName")

Get-ADUser -Identity SamAccountName | Format-Table $Item -auto

Show Managed Service Accounts (Powershell)

Get-ADServiceAccount -Filter *

Get-AdServiceAccount -Identity SQL01_SVC

Create

Create User (Powershell)

$Attributes = @{

   Enabled = $true

   ChangePasswordAtLogon = $true

   UserPrincipalName = "my.user@mydomain.local"

   Name = "My.User"

   GivenName = "My"

   Surname = "User"

   DisplayName = "My User"

   Description = "This is the account for My User"

   AccountPassword = "InitialPassword!!!" | ConvertTo-SecureString -AsPlainText -Force

}

New-ADUser @Attributes

For a full list of potential attributes see: https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-aduser

An example for a SQL2008 SQL Service account...

New-ADUser -Name "SQL01_SVC" -Enabled $True -AccountPassword (ConvertTo-SecureString -AsPlainText "InitialPassword!!!" -Force)

Create Managed Service Account

New-ADServiceAccount -Name "SQL01_SVC" -DNSHostName "SQL01.mydomain.local" -Enabled $True

For a full list of potential attributes see: https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount
IMPORTANT: If this is the first time you are creating a Managed Service Account in your Domain then you need to perform one time creation of the Key Distribution Services KDS Root Key...This should be run on the Domain Controller...

Add-KdsRootKey -EffectiveImmediately

Note that it can take up to 10 hours for the Root Key to become usable. Factor this time into your plan for production environments.
For Test environments with only one Domain you can fool the system like this...

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

Delete

Delete User (Powershell)

Remove-ADUser -Identity My.User

Delete Managed Service Accounts (Powershell)

Remove-ADServiceAccount -Identity SQL01_SVC

Bibliography

https://www.pdq.com/blog/add-users-to-ad-with-powershell/https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-aduserhttps://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccounthttps://docs.microsoft.com/en-us/powershell/module/addsadministration/get-aduserhttps://docs.microsoft.com/en-us/powershell/module/addsadministration/remove-aduserhttps://docs.microsoft.com/en-us/powershell/module/addsadministration/add-adgroupmember?view=win10-pshttps://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adgrouphttps://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
https://docs.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/deployment/setup-deploy-on-premises-pu12#known-issueshttps://social.technet.microsoft.com/Forums/windows/en-US/82617035-254f-4078-baa2-7b46abb9bb71/newadserviceaccount-key-does-not-existhttps://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-keyhttps://docs.microsoft.com/en-us/powershell/module/kds/add-kdsrootkeyhttps://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009https://stackoverflow.com/questions/58877021/windows-function-netuserchangepassword-is-no-longer-working-under-windows-10#58911226
Change AD Passwordhttps://ss64.com/ps/set-adaccountpassword.htmlhttps://gist.github.com/wim-beck/c402e54b47ab852701be800af6206073https://gist.github.com/jstangroome/3087453https://blog.techinline.com/2018/12/20/how-to-change-windows-password-using-command-line-or-powershell/
ADUChttps://blog.netwrix.com/2017/01/30/active-directory-users-and-computers-aduc/
MSAhttps://syfuhs.net/how-managed-service-accounts-in-active-directory-workhttps://servergeeks.wordpress.com/2012/10/29/service-account-in-ad/
MSA/SQLhttps://www.mssqltips.com/sqlservertip/5340/using-group-managed-service-accounts-with-sql-server/https://www.mssqltips.com/sqlservertip/5334/using-managed-service-accounts-with-sql-server/