New-ADServiceAccount script keeps asking for Name RRS feed

  • Question

  • Hello Everyone,

    As the title suggests, I am modifying a script written by Daniel Ornerling's script from the repository and have run into a couple of snags.  In order they are:

    1.  When running the script in ISE I keep getting prompted for the -name parameter and cannot figure out why.

    2.  I also receive the message that -AccountPassword is not a valid "cmdlet, function," etc.

    Here is the script for reference:

    		param (
    			[string] $system,
    			[string] $function	
    $account = $system + $function
    $newaccount = "Svc_" + $account
    Generate a secure password
    $characters = 'abcdefghkmnprstuvwxyzABCDEFGHKLMNPRSTUVWXYZ'
    $nonchar = '123456789!$%&?+#@'
    $length = 12  #The total length will be 14, the last two characters are nonchar.
    select random characters
    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
    $random2 = 1..2 | ForEach-Object { Get-Random -Maximum $nonchar.length }
    $private:ofs= "" 
    $password = [String]$characters[$random] + [String]$nonchar[$random2]
    Create the account
    $displayname = $system + " " + $function + " Service account"
    $svcname = "Svc_" + $account
    	# $SamAccountName = "Svc_" + $system + $function
    	# $UserPrincipalName = "Svc_" + $account + "@xxx.com" #Insert your own domain here
        $DNSHostName = "Svc_" + $account + ".xxx.com" #Insert your own domain here
        $AccountPassword = ConvertTo-SecureString $Password -AsPlainText -Force
    	New-ADServiceAccount -DNSHostName $DNSHostName ` 
        -DisplayName $displayname `
        -name $svcname `
        -path "OU=Service Accounts,DC=xxx,DC=com" `
        -AccountPassword $AccountPassword `
        -Enabled:$True `
        -PasswordNeverExpires $True
        # -SamAccountName $SamAccountName
    	# -UserPrincipalName $UserPrincipalName
    	# -givenname $system
    	# -surname $function
    	# -ChangePasswordAtLogon:$False
    	# -Description "This service account was created using Azure Automation in OMS. "
    	# Change this OU to match your needs
    Write-Output "The account created is $($newaccount) with the password $($password)"

    Any help would be greatly appreciated!

    Tuesday, March 5, 2019 9:55 PM

All replies

  • The messages indicate the New-ADServiceAccount statement is not parsed correctly. It seems that $displayname has a space, so perhaps it should be quoted. Then -name would be recognized.

    Also, if $svcname is more than 20 characters long, you probably need to specify -SAMAccountName, as the later cannot be more than 20 characters.

    Edit: Also, have you commented/asked your question on the script in the repository?

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, March 5, 2019 10:22 PM
  • I didn't even realize that there was a space in that command.  I will also try to keep the $svcname to less than 20 characters.  Currently, the name ends up being SVC_IGNITEMANAGER (17 chars).  The original script was written to use New-ADUser to create a Service Account so I have had to tweak a lot of this to work with New-ADServiceAccount.

    To answer your question about my posting a response to the repository post, I wanted to make sure that this was working before I did that.  This would allow me to do a side-by-side comparison for both scripts to show what was changed and why.  I never thought to ask the original author about how/why those changes would break things.  If these changes don't fix things then I will definitely reach out to the original author.

    I appreciate your input and I will let you know how these changes works.

    Wednesday, March 6, 2019 7:03 PM
  • OK, so I made the changes below but I am still being prompted for the value of Name:

    $displayname = "SVC_" + $account
    	# $SamAccountName = "SVC_" + $system + $function
    	# $UserPrincipalName = "SVC_" + $account + "@xxx.com" #Insert your own domain here
    $DNSHostName = "SVC_" + $account + ".xxx.com" #Insert your own domain here
    $AccountPassword = ConvertTo-SecureString $Password -AsPlainText -Force
    	New-ADServiceAccount -DNSHostName $DNSHostName ` 
        -DisplayName $displayname `
        -name $displayname `
        -path "OU=Service Accounts,DC=xxx,DC=com" `
        -AccountPassword $AccountPassword `
        -Enabled:$True `
        -PasswordNeverExpires $True

    This SHOULD cause $displayname to have the value SVC_IgniteMgr (I abbreviated Manager to reduce characters).  I enter Ignite at the system prompt and Mgr at the function prompt.  Then I see:

    cmdlet New-ADServiceAccount at command pipeline position 1
    Supply values for the following parameters:

    Everything looks right to me so hopefully someone sees what I am missing.

    Thursday, March 7, 2019 7:09 PM