Adds a group Managed Service Account (gMSA) to an Active Directory domain.
New-DRAServiceAccount -Properties <Hashtable> -Domain <String> [-DRARestServer <String>] [-DRARestPort <Int32>] [-IgnoreCertificateErrors <SwitchParameter>] [-Force <SwitchParameter>] [-Timeout <Int32>] [<CommonParameters>]
The New-DRAServiceAccount cmdlet adds a gMSA to a domain managed by DRA. The requesting user must have the Create group Managed Service Account and Modify All Properties power. Use the Properties parameter to specify the values to use when creating the gMSA. To see the complete list of available properties, run the Get-Member command on the object returned by any DRAServiceAccount command.
Attribute / Description |
Parameters / Values |
||||
---|---|---|---|---|---|
Required |
Position |
Default Value |
Accept Pipeline input? |
Accept wildcard characters? |
|
Properties <Hashtable> A hashtable of property values. The key is the name of a defined attribute in the REST interface. For example: -Properties @{Attribute1DRADisplayName="my value"; Attribute2DRADisplayName=value} Multiple values are specified as a comma-separated list.For example: -Properties @{Attribute1DRADisplayName=value1, value2} If the property name contains non-alphanumeric characters it needs to be quoted.For example: -Properties @{"Attribute1-DRA-DisplayName"=value} If the property value contains a quote it needs to be escaped with a backtick (`).For example: -Properties @{Attribute1DRADisplayName="`"sample`" value"} |
true |
named |
|
true (ByPropertyName) |
false |
Domain <String> The domain of the object in fqdn format. For example: mydomain.corp |
true |
named |
|
true (ByPropertyName) |
false |
DRARestServer [<String>] The name of the computer running the DRA REST Service. The requested DRA operation will execute on this server. If the parameter is not specified, the value defaults to 'localhost'. |
false |
named |
|
true (ByPropertyName) |
false |
DRARestPort [<Int32>] The port where the DRA REST Service listens for requests. If the parameter is not specified, the value defaults to 8755. |
false |
named |
8755 |
true (ByPropertyName) |
false |
IgnoreCertificateErrors [<SwitchParameter>] Allows the request to bypass any SSL certificate errors, such as the InvalidOperation error that occurs when the REST Service is bound to a self-signed certificate. |
false |
named |
|
false |
false |
Force [<SwitchParameter>] Suppresses any request for user input and supplies a 'yes' response. For example: -Force with a delete request will perform the delete without presenting the confirmation request to the user. |
false |
named |
|
false |
false |
Timeout [<Int32>] The number of seconds to wait before the request to the DRA REST server times out. To specify an infinite timeout, you can set this parameter to -1. |
false |
named |
100 seconds |
true (ByPropertyName) |
false |
<CommonParameters> Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see About CommonParameters. |
|
|
|
|
|
NOTE:For more information, type "Get-Help New-DRAServiceAccount -detailed". For technical information, type "Get-Help New-DRAServiceAccount -full".
Example 24-5 1
C:\>New-DRAServiceAccount -Domain MyDomain.corp -Properties @{FriendlyPath="MyDomain.corp/Managed Service Accounts/GMSA123";Description="gMSA for powershell";DNSHostName="GMSA123.MyDomain.corp"}
This example creates a gMSA named GMSA123 in the Managed Service Accounts container of the MyDomain.corp domain using the FriendlyPath property. The samAccountName defaults to the name followed by a dollar sign. There are two properties set on this gMSA: Description and DNSHostName.
Example 24-6 1
PS C:\>New-DRAServiceAccount -Domain MyDomain.corp -Properties @{DistinguishedName="CN=GMSA123,CN=Managed Service Accounts,DC=MyDomain,DC=corp";DNSHostName="GMSA123.MyDomain.corp";ManagedPasswordIntervalInDays=20;samAccountName="gMSA123$"}
This example creates a gMSA named GMSA123 in the Managed Service Accounts container of the MyDomain.corp domain using the DistinguishedName property. There are three properties set on this gMSA: DNSHostName, ManagedPasswordIntervalInDays, and samAccountName. The value for the ManagedPasswordIntervalInDays property can be specified only when you create a new gMSA. If the value for the ManagedPasswordIntervalInDays property is set to 0, then the default value is used.
Example 24-7 1
PS C:\>New-DRAServiceAccount -Domain MyDomain.corp -Properties @{FriendlyParentPath="MyDomain.corp/Managed Service Accounts";Name="GMSA123";DNSHostName="GMSA123.MyDomain.corp";PrincipalsAllowedToRetrieveManagedPassword="CN=George,CN=Users,DC=MYDOMAIN,DC=corp";samAccountName="gMSA123$"}
This example creates the gMSA named GMSA123 in the Managed Service Accounts container of the MyDomain.corp domain using the Name and FriendlyParentPath properties. There are three properties set on this gMSA: DNSHostName, PrincipalsAllowedToRetrieveManagedPassword, and samAccountName.