24.3 New-DRAServiceAccount

Synopsis

Adds a group Managed Service Account (gMSA) to an Active Directory domain.

Syntax

New-DRAServiceAccount -Properties <Hashtable> -Domain <String> [-DRARestServer <String>] [-DRARestPort <Int32>] [-IgnoreCertificateErrors <SwitchParameter>] [-Force <SwitchParameter>] [-Timeout <Int32>] [<CommonParameters>]

Description

The New-DRAServiceAccount cmdlet adds a gMSA to a domain managed by DRA. The requesting user must have the Create group Managed Service Account and Modify All Properties power. Use the Properties parameter to specify the values to use when creating the gMSA. To see the complete list of available properties, run the Get-Member command on the object returned by any DRAServiceAccount command.

Parameters

Attribute / Description

Parameters / Values

Required

Position

Default Value

Accept Pipeline input?

Accept wildcard characters?

Properties <Hashtable>

A hashtable of property values. The key is the name of a defined attribute in the REST interface. For example: -Properties @{Attribute1DRADisplayName="my value"; Attribute2DRADisplayName=value}

Multiple values are specified as a comma-separated list.For example: -Properties @{Attribute1DRADisplayName=value1, value2}

If the property name contains non-alphanumeric characters it needs to be quoted.For example: -Properties @{"Attribute1-DRA-DisplayName"=value}

If the property value contains a quote it needs to be escaped with a backtick (`).For example: -Properties @{Attribute1DRADisplayName="`"sample`" value"}

true

named

 

true (ByPropertyName)

false

Domain <String>

The domain of the object in fqdn format. For example: mydomain.corp

true

named

 

true (ByPropertyName)

false

DRARestServer [<String>]

The name of the computer running the DRA REST Service. The requested DRA operation will execute on this server. If the parameter is not specified, the value defaults to 'localhost'.

false

named

 

true (ByPropertyName)

false

DRARestPort [<Int32>]

The port where the DRA REST Service listens for requests. If the parameter is not specified, the value defaults to 8755.

false

named

8755

true (ByPropertyName)

false

IgnoreCertificateErrors [<SwitchParameter>]

Allows the request to bypass any SSL certificate errors, such as the InvalidOperation error that occurs when the REST Service is bound to a self-signed certificate.

false

named

 

false

false

Force [<SwitchParameter>]

Suppresses any request for user input and supplies a 'yes' response. For example: -Force with a delete request will perform the delete without presenting the confirmation request to the user.

false

named

 

false

false

Timeout [<Int32>]

The number of seconds to wait before the request to the DRA REST server times out. To specify an infinite timeout, you can set this parameter to -1.

false

named

100 seconds

true (ByPropertyName)

false

<CommonParameters>

Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see About CommonParameters.

 

 

 

 

 

NOTE:For more information, type "Get-Help New-DRAServiceAccount -detailed". For technical information, type "Get-Help New-DRAServiceAccount -full".

Example 24-5 1

C:\>New-DRAServiceAccount -Domain MyDomain.corp -Properties @{FriendlyPath="MyDomain.corp/Managed Service Accounts/GMSA123";Description="gMSA for  powershell";DNSHostName="GMSA123.MyDomain.corp"}

This example creates a gMSA named GMSA123 in the Managed Service Accounts container of the MyDomain.corp domain using the FriendlyPath property. The samAccountName defaults to the name followed by a dollar sign. There are two properties set on this gMSA: Description and DNSHostName.

Example 24-6 1

PS C:\>New-DRAServiceAccount -Domain MyDomain.corp -Properties @{DistinguishedName="CN=GMSA123,CN=Managed Service 
Accounts,DC=MyDomain,DC=corp";DNSHostName="GMSA123.MyDomain.corp";ManagedPasswordIntervalInDays=20;samAccountName="gMSA123$"}

This example creates a gMSA named GMSA123 in the Managed Service Accounts container of the MyDomain.corp domain using the DistinguishedName property. There are three properties set on this gMSA: DNSHostName, ManagedPasswordIntervalInDays, and samAccountName. The value for the ManagedPasswordIntervalInDays property can be specified only when you create a new gMSA. If the value for the ManagedPasswordIntervalInDays property is set to 0, then the default value is used.

Example 24-7 1

PS C:\>New-DRAServiceAccount -Domain MyDomain.corp -Properties @{FriendlyParentPath="MyDomain.corp/Managed Service 
Accounts";Name="GMSA123";DNSHostName="GMSA123.MyDomain.corp";PrincipalsAllowedToRetrieveManagedPassword="CN=George,CN=Users,DC=MYDOMAIN,DC=corp";samAccountName="gMSA123$"}

This example creates the gMSA named GMSA123 in the Managed Service Accounts container of the MyDomain.corp domain using the Name and FriendlyParentPath properties. There are three properties set on this gMSA: DNSHostName, PrincipalsAllowedToRetrieveManagedPassword, and samAccountName.