DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt
|
.NAME
ADManagedServiceAccount .DESCRIPTION The ADManagedServiceAccount DSC resource will manage Single and Group Managed Service Accounts (MSAs) within Active Directory. A Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate management to other administrators. A Single Managed Service Account can only be used on a single computer, whereas a Group Managed Service Account can be shared across multiple computers. ## Requirements * Target machine must be running Windows Server 2008 R2 or later. * Group Managed Service Accounts need at least one Windows Server 2012 Domain Controller. .PARAMETER ServiceAccountName Key - String Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20 characters or less. Once created, the user's SamAccountName and CN cannot be changed. .PARAMETER Ensure Write - String Allowed values: Present, Absent Specifies whether the user account is created or deleted. If not specified, this value defaults to Present. .PARAMETER AccountType Write - String Allowed values: Group, Single The type of managed service account. Single will create a Single Managed Service Account (sMSA) and Group will create a Group Managed Service Account (gMSA). If not specified, this value defaults to Single. .PARAMETER AccountTypeForce Write - Boolean Specifies whether or not to remove the service account and recreate it when going from Single Managed Service Account to Group Managed Service Account and vice-versa. If not specified, this value defaults to $false. .PARAMETER Path Write - String Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. Specified as a Distinguished Name (DN). .PARAMETER Description Write - String Specifies a description of the object (ldapDisplayName 'description'). .PARAMETER DisplayName Write - String Specifies the display name of the object (ldapDisplayName 'displayName'). .PARAMETER Members Write - String Specifies the members of the object (ldapDisplayName 'PrincipalsAllowedToRetrieveManagedPassword'). Only used when 'Group' is selected for 'AccountType'. .PARAMETER MembershipAttribute Write - String Allowed values: SamAccountName, DistinguishedName, ObjectGUID, SID Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName. Only used when 'Group' is selected for 'AccountType'. Default value is 'SamAccountName'. .PARAMETER Credential Write - String Specifies the user account credentials to use to perform this task. This is only required if not executing the task on a domain controller or using the parameter DomainController. .PARAMETER DomainController Write - String Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller. .PARAMETER Enabled Read - Boolean Returns whether the user account is enabled or disabled. .PARAMETER DistinguishedName Read - String Returns the Distinguished Name of the Service Account. .EXAMPLE 1 This configuration will create a managed service account. Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config { Import-DscResource -Module ActiveDirectoryDsc Node localhost { ADManagedServiceAccount 'ExampleSingleMSA' { Ensure = 'Present' ServiceAccountName = 'Service01' } } } .EXAMPLE 2 This configuration will create a group managed service account. Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccount_Config { Import-DscResource -Module ActiveDirectoryDsc Node localhost { ADManagedServiceAccount 'ExampleGroupMSA' { Ensure = 'Present' ServiceAccountName = 'Service01' AccountType = 'Group' Path = 'OU=ServiceAccounts,DC=contoso,DC=com' } } } .EXAMPLE 3 This configuration will create a group managed service account with members. Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountWithMembers_Config { Import-DscResource -Module ActiveDirectoryDsc Node localhost { ADManagedServiceAccount 'AddingMembersUsingSamAccountName' { Ensure = 'Present' ServiceAccountName = 'Service01' AccountType = 'Group' Path = 'OU=ServiceAccounts,DC=contoso,DC=com' Members = 'User01', 'Computer01$' } ADManagedServiceAccount 'AddingMembersUsingDN' { Ensure = 'Present' ServiceAccountName = 'Service02' AccountType = 'Group' Path = 'OU=ServiceAccounts,DC=contoso,DC=com' Members = 'CN=User01,OU=Users,DC=contoso,DC=com', 'CN=Computer01,OU=Computers,DC=contoso,DC=com' } } } |