DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt

.NAME
    ADManagedServiceAccount
 
.DESCRIPTION
    The ADManagedServiceAccount DSC resource will manage Single and Group Managed Service Accounts (MSAs) within Active Directory. A Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate management to other administrators.
    A Single Managed Service Account can only be used on a single computer, whereas a Group Managed Service Account can be shared across multiple computers.
 
    ## Requirements
 
    * Target machine must be running Windows Server 2008 R2 or later.
    * Group Managed Service Accounts need at least one Windows Server 2012 Domain Controller.
 
.PARAMETER ServiceAccountName
    Key - String
    Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 15 characters or less. Once created, the user's SamAccountName cannot be changed.
 
.PARAMETER AccountType
    Required - String
    Allowed values: Group, Standalone
    The type of managed service account. Standalone will create a Standalone Managed Service Account (sMSA) and Group will create a Group Managed Service Account (gMSA).
 
.PARAMETER Credential
    Write - Instance
    Specifies the user account credentials to use to perform this task. This is only required if not executing the task on a domain controller or using the parameter DomainController.
 
.PARAMETER CommonName
    Write - String
    Specifies the common name assigned to the managed service account (ldapDisplayName 'cn'). If not specified the default value will be the same value provided in parameter ServiceAccountName.
 
.PARAMETER Description
    Write - String
    Specifies the description of the account (ldapDisplayName 'description').
 
.PARAMETER DisplayName
    Write - String
    Specifies the display name of the account (ldapDisplayName 'displayName').
 
.PARAMETER DomainController
    Write - String
    Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller.
 
.PARAMETER Ensure
    Write - String
    Allowed values: Present, Absent
    Specifies whether the user account is created or deleted. If not specified, this value defaults to Present.
 
.PARAMETER KerberosEncryptionType
    Write - StringArray
    Allowed values: None, RC4, AES128, AES256
    Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute.
 
.PARAMETER ManagedPasswordPrincipals
    Write - StringArray
    Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.
 
.PARAMETER MembershipAttribute
    Write - String
    Allowed values: SamAccountName, DistinguishedName, ObjectGUID, ObjectSid
    Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName.
 
.PARAMETER Path
    Write - String
    Specifies the X.500 path of the Organizational Unit (OU) or container where the new account is created. Specified as a Distinguished Name (DN).
 
.PARAMETER Enabled
    Read - Boolean
    Returns whether the user account is enabled or disabled.
 
.PARAMETER DistinguishedName
    Read - String
    Returns the Distinguished Name of the Service Account.
 
.EXAMPLE 1
 
This configuration will create a standalone managed service account in the default 'Managed Service Accounts'
container.
 
Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADManagedServiceAccount 'ExampleStandaloneMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            AccountType = 'Standalone'
        }
    }
}
 
.EXAMPLE 2
 
This configuration will create a group managed service account in the default 'Managed Service Accounts'
container.
 
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADManagedServiceAccount 'ExampleGroupMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            AccountType = 'Group'
        }
    }
}
 
.EXAMPLE 3
 
This configuration will create a group managed service account with members in the default 'Managed Service
Accounts' container.
 
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountWithMembers_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADManagedServiceAccount 'AddingMembersUsingSamAccountName'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            AccountType = 'Group'
            ManagedPasswordPrincipals = 'User01', 'Computer01$'
        }
 
        ADManagedServiceAccount 'AddingMembersUsingDN'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service02'
            AccountType = 'Group'
            ManagedPasswordPrincipals = 'CN=User01,OU=Users,DC=contoso,DC=com', 'CN=Computer01,OU=Computers,DC=contoso,DC=com'
        }
    }
}
 
.EXAMPLE 4
 
This configuration will create a group managed service account in the specified path.
 
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountCustomPath_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        Node localhost
        {
            ADManagedServiceAccount 'ExampleGroupMSA'
            {
                Ensure = 'Present'
                ServiceAccountName = 'Service01'
                AccountType = 'Group'
                Path = 'OU=ServiceAccounts,DC=contoso,DC=com'
            }
        }
    }
}