DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt
|
.NAME
ADManagedServiceAccount .DESCRIPTION The ADManagedServiceAccount DSC resource will manage Single and Group Managed Service Accounts (MSAs) within Active Directory. A Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate management to other administrators. A Single Managed Service Account can only be used on a single computer, whereas a Group Managed Service Account can be shared across multiple computers. ## Requirements * Target machine must be running Windows Server 2008 R2 or later. * Group Managed Service Accounts need at least one Windows Server 2012 Domain Controller. .PARAMETER ServiceAccountName Key - String Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20 characters or less. Once created, the user's SamAccountName and CN cannot be changed. .PARAMETER AccountType Required - String Allowed values: Group, Standalone The type of managed service account. Standalone will create a Standalone Managed Service Account (sMSA) and Group will create a Group Managed Service Account (gMSA). .PARAMETER Credential Write - Instance Specifies the user account credentials to use to perform this task. This is only required if not executing the task on a domain controller or using the parameter DomainController. .PARAMETER Description Write - String Specifies the description of the account (ldapDisplayName 'description'). .PARAMETER DisplayName Write - String Specifies the display name of the account (ldapDisplayName 'displayName'). .PARAMETER DomainController Write - String Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller. .PARAMETER Ensure Write - String Allowed values: Present, Absent Specifies whether the user account is created or deleted. If not specified, this value defaults to Present. .PARAMETER KerberosEncryptionType Write - StringArray Allowed values: None, RC4, AES128, AES256 Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. .PARAMETER ManagedPasswordPrincipals Write - StringArray Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'. .PARAMETER MembershipAttribute Write - String Allowed values: SamAccountName, DistinguishedName, ObjectGUID, ObjectSid Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName. .PARAMETER Path Write - String Specifies the X.500 path of the Organizational Unit (OU) or container where the new account is created. Specified as a Distinguished Name (DN). .PARAMETER Enabled Read - Boolean Returns whether the user account is enabled or disabled. .PARAMETER DistinguishedName Read - String Returns the Distinguished Name of the Service Account. .EXAMPLE 1 This configuration will create a standalone managed service account in the default 'Managed Service Accounts' container. Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config { Import-DscResource -Module ActiveDirectoryDsc Node localhost { ADManagedServiceAccount 'ExampleStandaloneMSA' { Ensure = 'Present' ServiceAccountName = 'Service01' AccountType = 'Standalone' } } } .EXAMPLE 2 This configuration will create a group managed service account in the default 'Managed Service Accounts' container. Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccount_Config { Import-DscResource -Module ActiveDirectoryDsc Node localhost { ADManagedServiceAccount 'ExampleGroupMSA' { Ensure = 'Present' ServiceAccountName = 'Service01' AccountType = 'Group' } } } .EXAMPLE 3 This configuration will create a group managed service account with members in the default 'Managed Service Accounts' container. Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountWithMembers_Config { Import-DscResource -Module ActiveDirectoryDsc Node localhost { ADManagedServiceAccount 'AddingMembersUsingSamAccountName' { Ensure = 'Present' ServiceAccountName = 'Service01' AccountType = 'Group' ManagedPasswordPrincipals = 'User01', 'Computer01$' } ADManagedServiceAccount 'AddingMembersUsingDN' { Ensure = 'Present' ServiceAccountName = 'Service02' AccountType = 'Group' ManagedPasswordPrincipals = 'CN=User01,OU=Users,DC=contoso,DC=com', 'CN=Computer01,OU=Computers,DC=contoso,DC=com' } } } .EXAMPLE 4 This configuration will create a group managed service account in the specified path. Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountCustomPath_Config { Import-DscResource -Module ActiveDirectoryDsc Node localhost { Node localhost { ADManagedServiceAccount 'ExampleGroupMSA' { Ensure = 'Present' ServiceAccountName = 'Service01' AccountType = 'Group' Path = 'OU=ServiceAccounts,DC=contoso,DC=com' } } } } |