Hey, Scripting Guy! The pointy-headed boss is on a rampage. The problem is he has no idea why he is rampaging. This guy makes Nick Bottom seem like Aristotle. His latest obsession concerns service accounts. He wants me to create user accounts, with names like SQL_Service_Account, make these accounts Domain Administrators, and set their passwords so that they do not expire. I have tried telling him that such an approach is so last century, but he will not listen. I know this may not be a scripting question, but he respects you guys—even if he will not listen to his own staff. Can you help?
Microsoft Scripting Guy Ed Wilson here. I love the smell of the bergamot oil extract that is present in Earl Grey tea. A fresh pot of Earl Grey tea and an ANZAC biscuit and I am ready to swim with the sharks—quite literally as shown in the following image, which shows a shark I snapped when I was diving in Australia.
KM, believe it or not, your question is a scripting question. Windows Server 2008 R2 introduces the concept of the managed service account. Managed service accounts provide a couple of benefits. Perhaps the most important benefit is you do not need to mess with resetting the passwords manually because passwords for managed service accounts are reset automatically. This provides the security benefit of new passwords with the advantage of no administrative overhead. The reason this becomes a scripting question is that there is no ability in Active Directory Users and Computers (that I have seen) to create a new service account. You will need to use Windows PowerShell.
The first thing you will need to do is load the ActiveDirectory module.
For more information on the ActiveDirectory module, see Monday’s Hey, Scripting Guy! post.
To import the activedirectory module, use the Import-Module cmdlet and supply the name of the module. You do not need to type the entire module name because you can use wildcard characters if you wish. The only requirement is that the wildcard character combination match only one module. This is shown here:
PS C:> Import-Module active*
To create a new Active Directory Service Account, use the New-ADServiceAccount cmdlet. One parameter is required: the name of the service account to be created. The default location in Active Directory for managed service accounts is the Managed Service Account container. The following example creates a new managed service account named sql-srv1 in the managed service accounts container in the NWTraders domain:
PS C:> New-ADServiceAccount -Name sql-srv1 -Path "cn=managed service accounts,dc=nwtraders,dc=com"
After the command has executed, the new service account appears, as seen in the following image.
The previous command is kind of long, and you may wish to shorten it. The first task in shortening the length of the command is to see if there is an alias for the New-ADServiceAccount. Using the Get-Alias cmdlet, you get the following results:
PS C:> Get-Alias -Definition New-ADServiceAccount
Get-Alias : This command cannot find a matching alias because alias with definition 'New-ADServiceAccount' do not exist
At line:1 char:10
+ Get-Alias <<<< -Definition New-ADServiceAccount
+ CategoryInfo : ObjectNotFound: (New-ADServiceAccount:String) [Get-Alias], ItemNotFoundException
+ FullyQualifiedErrorId : ItemNotFoundException,Microsoft.PowerShell.Commands.GetAliasCommand
It appears that there is no alias for the New-ADServiceAccount. This is curious, so you use the Get-Alias cmdlet to see if there are any aliases for the Active Directory cmdlets. By using a wildcard character for the cmdlet definition, you can pick up aliases for cmdlets that contain the letters ad in their name, as shown here:
PS C:> Get-Alias -Definition *ad*
CommandType Name Definition
----------- ---- ----------
Alias ac Add-Content
Alias AddComputer Add-Computer
Alias AddContent Add-Content
Alias AddHistory Add-History
Alias AddMember Add-Member
Alias AddPSSnapin Add-PSSnapin
Alias AddType Add-Type
Alias asnp Add-PSSnapIn
Alias ReadHost Read-Host
There are no aliases created for the Active Directory cmdlets. However, this should not prevent you from creating one if you wish to do so. You could put the aliases into a module that you load when you load the Active Directory cmdlets.
To create a new alias, use the New-Alias cmdlet. After the alias is created, you can use the alias to create a new service account:
PS C:> New-Alias -Name adsa -Value New-ADServiceAccount
PS C:> adsa test1
You do not need to specify the location for the managed service account if it is to be placed in the default location. The new managed service account is shown in the following image.
You can specify the password, the location, and even the enabled parameter when creating a new Active Directory service account. One thing to keep in mind is that the password must be a secure string. One way to create a secure string is to use the ConvertTo-SecureString cmdlet. If you type in a plain text string to the ConvertTo-SecureString cmdlet, you need to specify that it is plain text by using the –asplaintext parameter and then you need to use the –force parameter to tell the cmdlet you know what you are doing, and you really do want to use the plain text string as a secure string. By default, service accounts are created with a 240-character randomly generated password. It is possible that the password you specify will not meet complexity requirements. The account will still be created, but it will not be enabled until you have set a password that meets complexity requirements. The following command creates a new service account named sql-srv2. It is a single command that will probably wrap in your Windows PowerShell console, unless you have a widescreen monitor and have increased the dimensions of your Windows PowerShell console.
PS C:> New-ADServiceAccount -Name sql-srv2 -Path "cn=managed service accounts,dc=nwtraders,dc=com" -accountPassword (ConvertTo-SecureString -AsPlainText "P@ssword1" -Force) -enabled $True
If you wish the service account to be trusted for Kerberos delegation, use the –TrustedForDelegation parameter and set its value to $true. When a service account is trusted for delegation, it is permitted to assume the identity of a client requesting the service. The single line of code to create a trusted service account is seen here:
PS C:> New-ADServiceAccount -Name sql-srv3 -Path "cn=managed service accounts,dc=nwtraders,dc=com" -accountPassword (ConvertTo-SecureString -AsPlainText "P@ssword1" -Force) -enabled $True -TrustedForDelegation $true
As a best practice, I recommend supplying a description for any service account that you create. This will help you to know why the account was created, what it is to be used for, and when it can be safely deleted. To specify a description, use the description property:
PS C:> New-ADServiceAccount -Name sql-srv4 -Path "cn=managed service accounts,dc=nwtraders,dc=com" -accountPassword (ConvertTo-SecureString -AsPlainText "P@ssword1" -Force) -enabled $True -TrustedForDelegation $true -description "trusted SQL account"
After all of the accounts have been created, you can use Active Directory Users and Computers to view the newly created accounts. This is seen in the following image.
KM, that is all there is to using the Active Directory cmdlets to create a managed service account. This also concludes Active Directory Week. Join us tomorrow for Quick-Hits Friday.
If you want to know exactly what we will be looking at tomorrow, follow us on Twitter or Facebook. If you have any questions, send e-mail to us at firstname.lastname@example.org or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson and Craig Liebendorfer, Scripting Guys