Skip to main content

Register-DMServiceAccount

SYNOPSIS

Register a Group Managed Service Account as a desired state object.

SYNTAX

__AllParameterSets

Register-DMServiceAccount [-Name] <string> [-DNSHostName] <string> [-Description] <string>
[-Path] <string> [[-ServicePrincipalName] <string[]>] [[-DisplayName] <string>]
[[-ObjectCategory] <string[]>] [[-ComputerName] <string[]>] [[-ComputerNameOptional] <string[]>]
[[-GroupName] <string[]>] [[-KerberosEncryptionType] <string[]>] [[-Enabled] <TriBool>]
[[-Present] <TriBool>] [[-Attributes] <Object>] [[-OldNames] <string[]>] [[-ContextName] <string>]
[<CommonParameters>]

DESCRIPTION

Register a Group Managed Service Account as a desired state object. This will then be tested for during Test-DMServiceAccount and ensured during Invoke-DMServiceAccount.

EXAMPLES

EXAMPLE 1

Get-Content .\serviceaccounts.json | ConvertFrom-Json | Write-Output | Register-DMServiceAccount

Load up all settings defined in serviceaccounts.json

PARAMETERS

-Attributes

Offer additional attributes to define. This can be either a hashtable or an object and can contain any writeable properties a gMSA can have in your organization.

Type: System.Object
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 13
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-ComputerName

Only thus designated principals are allowed to retrieve the password to the gMSA. Using this you can grant access to an explicit list of computer accounts. A missing computer will cause a warning, but not otherwise fail the process. Supports string resolution.

Type: System.String[]
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 7
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-ComputerNameOptional

Only thus designated principals are allowed to retrieve the password to the gMSA. Using this you can grant access to an explicit list of computer accounts. A missing computer will be logged but not otherwise noted. Supports string resolution.

Type: System.String[]
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 8
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-ContextName

The name of the context defining the setting. This allows determining the configuration set that provided this setting. Used by the ADMF, available to any other configuration management solution.

Type: System.String
DefaultValue: <Undefined>
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 15
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: false
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Description

Describe what the gMSA is supposed to be used for. Supports string resolution.

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 2
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-DisplayName

A custom DisplayName for the gMSA. Note, this setting will be ignored in the default dsa.msc console! It only affects other applications that might be gMSA aware and support it. Supports string resolution.

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 5
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-DNSHostName

The DNSHostName of the gMSA. Supports string resolution.

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 1
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Enabled

Whether the account should be enabled or disabled. By default, this is 'Undefined', causing the workflow to ignore its enablement state.

Type: DomainManagement.TriBool
DefaultValue: Undefined
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 11
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-GroupName

Only thus designated principals are allowed to retrieve the password to the gMSA. Using this you can grant access to an explicit list of ActiveDirectory groups. Supports string resolution.

Type: System.String[]
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 9
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-KerberosEncryptionType

The supported Kerberos encryption types. Can be any combination of 'AES128', 'AES256', 'DES', 'RC4' Default: 'AES128','AES256'

Type: System.String[]
DefaultValue: "@('AES128', 'AES256')"
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 10
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Name

Name of the Service Account. This must be a legal name, 15 characters or less (no trailing $ needed). The SamAccountName will be automatically calculated based off this setting (by appending a $). Supports string resolution.

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 0
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-ObjectCategory

Only thus designated principals are allowed to retrieve the password to the gMSA. Using this you can grant access to any members of given Object Categories.

Type: System.String[]
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 6
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-OldNames

A list of previous names the gMSA held. This causes the ADMF to trigger rename actions.

Type: System.String[]
DefaultValue: '@()'
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 14
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Path

The path where to place the gMSA. Supports string resolution.

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 3
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Present

Whether the account should exist or not. By default, it should. Set this to $false in order to explicitly delete an existing gMSA. Set this to 'Undefined' to neither create nor delete it, in which case it will only modify properties if the service account exists.

Type: DomainManagement.TriBool
DefaultValue: true
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 12
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-ServicePrincipalName

Any service principal names to add to the gMSA. Supports string resolution.

Type: System.String[]
DefaultValue: '@()'
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: 4
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.