DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt

.NAME
    ADManagedServiceAccount
 
.DESCRIPTION
    The ADManagedServiceAccount DSC resource will manage Single and Group Managed Service Accounts (MSAs) within Active Directory. A Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate management to other administrators.
    A Single Managed Service Account can only be used on a single computer, whereas a Group Managed Service Account can be shared across multiple computers.
 
    ## Requirements
 
    * Target machine must be running Windows Server 2008 R2 or later.
    * Group Managed Service Accounts need at least one Windows Server 2012 Domain Controller.
 
.PARAMETER ServiceAccountName
    Key - String
    Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20 characters or less. Once created, the user's SamAccountName and CN cannot be changed.
 
.PARAMETER AccountType
    Required - String
    Allowed values: Group, Standalone
    The type of managed service account. Standalone will create a Standalone Managed Service Account (sMSA) and Group will create a Group Managed Service Account (gMSA).
 
.PARAMETER Credential
    Write - Instance
    Specifies the user account credentials to use to perform this task. This is only required if not executing the task on a domain controller or using the parameter DomainController.
 
.PARAMETER Description
    Write - String
    Specifies the description of the account (ldapDisplayName 'description').
 
.PARAMETER DisplayName
    Write - String
    Specifies the display name of the account (ldapDisplayName 'displayName').
 
.PARAMETER DomainController
    Write - String
    Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller.
 
.PARAMETER Ensure
    Write - String
    Allowed values: Present, Absent
    Specifies whether the user account is created or deleted. If not specified, this value defaults to Present.
 
.PARAMETER KerberosEncryptionType
    Write - StringArray
    Allowed values: None, RC4, AES128, AES256
    Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute.
 
.PARAMETER ManagedPasswordPrincipals
    Write - StringArray
    Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.
 
.PARAMETER MembershipAttribute
    Write - String
    Allowed values: SamAccountName, DistinguishedName, ObjectGUID, ObjectSid
    Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName.
 
.PARAMETER Path
    Write - String
    Specifies the X.500 path of the Organizational Unit (OU) or container where the new account is created. Specified as a Distinguished Name (DN).
 
.PARAMETER Enabled
    Read - Boolean
    Returns whether the user account is enabled or disabled.
 
.PARAMETER DistinguishedName
    Read - String
    Returns the Distinguished Name of the Service Account.
 
.EXAMPLE 1
 
This configuration will create a standalone managed service account in the default 'Managed Service Accounts'
container.
 
Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADManagedServiceAccount 'ExampleStandaloneMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            AccountType = 'Standalone'
        }
    }
}
 
.EXAMPLE 2
 
This configuration will create a group managed service account in the default 'Managed Service Accounts'
container.
 
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADManagedServiceAccount 'ExampleGroupMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            AccountType = 'Group'
        }
    }
}
 
.EXAMPLE 3
 
This configuration will create a group managed service account with members in the default 'Managed Service
Accounts' container.
 
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountWithMembers_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADManagedServiceAccount 'AddingMembersUsingSamAccountName'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            AccountType = 'Group'
            ManagedPasswordPrincipals = 'User01', 'Computer01$'
        }
 
        ADManagedServiceAccount 'AddingMembersUsingDN'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service02'
            AccountType = 'Group'
            ManagedPasswordPrincipals = 'CN=User01,OU=Users,DC=contoso,DC=com', 'CN=Computer01,OU=Computers,DC=contoso,DC=com'
        }
    }
}
 
.EXAMPLE 4
 
This configuration will create a group managed service account in the specified path.
 
Configuration ADManagedServiceAccount_CreateGroupManagedServiceAccountCustomPath_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        Node localhost
        {
            ADManagedServiceAccount 'ExampleGroupMSA'
            {
                Ensure = 'Present'
                ServiceAccountName = 'Service01'
                AccountType = 'Group'
                Path = 'OU=ServiceAccounts,DC=contoso,DC=com'
            }
        }
    }
}