New-ADServiceAccount

Specifies the expiration date for an account. This parameter sets the AccountExpirationDate property of an account object. The LDAP display name (ldapDisplayName) for this property is accountExpires.

Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value isn't specified, the time is assumed to 12:00:00 AM local time. When a date isn't specified, the date is assumed to be the current date.

Indicates whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account isn't delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute.

Specifies a new password value for the service account. This value is stored as an encrypted string.

The following conditions apply based on the manner in which the password parameter is used:

• $Null password is specified. Random password is set and the account is enabled unless it's requested to be disabled.
• No password is specified. Random password is set and the account is enabled unless it's requested to be disabled.
• User password is specified. Password is set and the account is enabled unless it's requested to be disabled, unless the password you provided doesn't meet password policy or was not set for other reasons, at which point the account is disabled.

The new ADServiceAccount object will always either be disabled or have a user-requested or randomly-generated password. there's no way to create an enabled service account object with a password that violates domain password policy, such as an empty password.

Specifies an Active Directory Domain Services authentication policy object. Specify the authentication policy object in one of the following formats:

• Distinguished name
• GUID
• Name

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error.

Specifies an Active Directory Domain Services authentication policy silo object. Specify the authentication policy silo object in one of the following formats:

• Distinguished name
• GUID
• Name

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

The cmdlet searches the default naming context or partition to find the object. If the cmdlet finds two or more objects, the cmdlet returns a non-terminating error.

Specifies the authentication method to use. The acceptable values for this parameter are:

• Negotiate or 0
• Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

Specifies an array of certificates. The cmdlet modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is userCertificate.

To add values:

-Certificates @{Add=value1,value2,...}

To remove values:

-Certificates @{Remove=value3,value4,...}

To replace values:

-Certificates @{Replace=value1,value2,...}

To clear all values:

-Certificates $Null

You can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values:

-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...}

The operators are applied in the following sequence:

• Remove
• Add
• Replace

Indicates whether an account supports Kerberos service tickets which includes the authorization data for the user's device. This value sets the compound identity supported flag of the Active Directory msDS-SupportedEncryptionTypes attribute. The acceptable values for this parameter are:

• $False or 0
• $True or 1

Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting.

Prompts you for confirmation before running the cmdlet.

Indicates that the cmdlet creates a delegated managed service account that be used for migration. Delegated managed service accounts were introduced in Windows Server 2025.

Specifies the service account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type an administrative account name, such as Admin1 or Contoso\Admin1 or you can specify a PSCredential object. If you specify a service account name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object.

If the acting credentials don't have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.

Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is description.

Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is displayName.

Specifies the DNS host name of Service Account.

Indicates whether an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory UAC attribute.

Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is wWWHomePage.

Specifies an instance of a service account object to use as a template for a new service account object.

You can use an instance of an existing service account object as a template or you can construct a new service account object for template use. You can construct a new service account using the Windows PowerShell command line or by using a script.

Note: Specified attributes aren't validated, so attempting to set attributes that Don�t exist or can't be set raises an error.

Indicates whether an account supports Kerberos encryption types which are used during creation of service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. The acceptable values for this parameter are:

• None
• DES
• RC4
• AES128
• AES256

None will remove all encryption types from the account may result in the KDC being unable to issue service tickets for services using the account.

DES is a weak encryption type that'sn't supported by default since Windows 7 and Windows Server 2008 R2.

Warning: Domain-joined Windows systems and services such as clustering manage their own msDS-SupportedEncryptionTypes attribute. Therefore any changes to the flag on the msDS-SupportedEncryptionTypes attribute will be overwritten by the service or system which manages the setting.

Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDS-ManagedPasswordInterval of the group managed service account object.

Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is name.

Specifies object attribute values for attributes that aren't represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAP Display Name (ldapDisplayName) defined for it in the Active Directory schema.

To specify a single value for an attribute:

-OtherAttributes @{'AttributeLDAPDisplayName'=value}

To specify multiple values for an attribute

-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}

You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes:

-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...}

Returns an object representing the item with which you're working. By default, this cmdlet does not generate any output.

Specifies the X.500 path of the organizational unit (OU) or container where the new object is created.

In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules are evaluated.

In AD DS environments, a default value for Path is set in the following cases:

• If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.
• If the cmdlet has a default path, this is used. For example: in New-ADUser, the Path parameter defaults to the Users container.
• If none of the previous cases apply, the default value of Path is set to the default partition or naming context of the target domain.

In AD LDS environments, a default value for Path is set in the following cases:

• If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.
• If the cmdlet has a default path, this is used. For example: in New-ADUser, the Path parameter defaults to the Users container.
• If the target AD LDS instance has a default naming context, the default value of Path is set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent object (nTDSDSA) for the AD LDS instance.
• If none of the previous cases apply, the Path parameter doesn't take any default value.

Note: The Active Directory Provider cmdlets, such as New-Item, Remove-Item, Remove-ItemProperty, Rename-Item, and Set-ItemProperty, also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets.

Specifies the accounts that can act on the behalf of users to services running as this managed service account or group-managed service account. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the object.

Specifies the membership policy for systems that can use a group-managed service account. For a service to run under a group managed service account, the system must be in the membership policy of the account. This parameter sets the msDS-GroupMSAMembership attribute of a group-managed service account object. This parameter should be set to the principals allowed to use this group-managed service account.

Indicates that the cmdlet creates a group-managed service account that on success can be used by a service for successful outbound authentication requests only. This allows creating a group managed service account without the parameters required for successful inbound authentication.

Indicates that the cmdlet creates a managed service account that can be used only for a single computer. Managed service accounts that are linked to a single computer account were introduced in Windows Server 2008 R2.

Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that's 15 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is sAMAccountName.

Note: If the specified SAMAccountName string doesn't end with a $ (dollar sign), one is appended if necessary.

Specifies the Active Directory Domain Services (AD DS) instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services (AD LDS), AD DS, or Active Directory snapshot instance.

Domain name values:

• Fully qualified domain name (FQDN)
• NetBIOS name

Directory server values:

• Fully qualified directory server name
• NetBIOS name
• Fully qualified directory server name and port

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:

• By using Server value from objects passed through the pipeline.
• By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
• By using the domain of the computer running PowerShell.

Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values.

To add values:

-ServicePrincipalNames @{Add=value1,value2,...}

To remove values:

-ServicePrincipalNames @{Remove=value3,value4,...}

To replace values:

-ServicePrincipalNames @{Replace=value1,value2,...}

To clear all values:

-ServicePrincipalNames $Null

You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names.

@{Add=value1,value2,...};@{Remove=value3,value4,...}

The operators are applied in the following sequence:

• Remove
• Add
• Replace

Indicates whether an account is trusted for Kerberos delegation. A service that runs under an account that's trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. The acceptable values for this parameter are:

• $False or 0
• $True or 1

Shows what would happen if the cmdlet runs. The cmdlet isn't run.