Managed Service Accounts in Active Directory

We all heard that one of many features in Windows server 2008 R2 is Managed Service Account.

Prerequisites for that is domain functionality raised to Windows Server 2008 R2

Most common mistake is that you will create managed service account using Active Directory Users And Computers snap-in. You will not.

Either if you are created account in Managed Service Accounts container it is still user account. To make it work you must give user rights “logon as a service” and “logon as a bat job”.

To create Managed Service Account you must use Power Shell. Creating service accounts is not so complicated. You can create it using simple script

New-ADServiceAccount –name (desired name of account).

Of course before you must “tell” powershell to use Active Directory module. Syntax for this is:

Import-module ActiveDirectory

And before that you must have installed feature:

Active Directory module for Power Shell

image

I’ve described this reversed with reason.

Most common is that you first load module to Power Shell and then start wit Your managed service accounts.

When you are created service account you need to install it on server where You want to use it. Syntax is:

install-ADServiceAccount –identity “(name of service account)”

To install account you must “run as administrator” Power Shell or you will receive error.

image

REMEMBER: You must have ONE managed service account per server. This is the big difference between managed service account and former virtual account.

Now you are ready to use managed service account with specific services

image

image

 

 

For more on this topic you can contact this link

Advertisements

Querying Computers in Active Directory

If you need to do some reports in active directory best tool for use is DSQUERY which is part of Remote Server Administrative Tools

First common query is how to list all computers spreaded in different Ous

And here it is:

dsquery computer

As dsquery shows first 100 results option for showing more is:

dsquery computer –limit 1000

This will show first 1000 computers in your active directory. If You have more than 1000 computers just change number.

If You need this for some reports You can put results in a text file and later on import it to excel

Syntax for this is:

dsquery computer –limit 1000 >computers.txt

If You need to know which computer is running which OS syntax will be:

dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows XP*))"

OR

dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows Server*))"

For those who wants to know what service pack is on those OS:

dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack"  -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP*))" -limit 100000

Last two syntax is announced on sheenaustin.com