Good Morning ( In Holland it is )
I have a challenge with creating multiple GMSA Accounts>
Probably something I overlook or just not have the correct command or the loop needs some editing
Then it turns out , the servername is present in the domain, only the script cannot find the server.
Tried with servername and Servername$ , both come back with the same eror.
" Identity info provided in the extended attribute: ‘PrincipalsAllowedToRetrieveManagedPassword’ could not be resolved. Reason: ‘Cannot find an object with identity: ‘w1122a1142$’ under: ‘DC=name DC=pb’.’. At line:21 char:5 "
Last but not least
The new GMSA cannot be fount when I want to add it to AD groups.
To continue the work and it is just 1 account I do it manually, but of course this is not why we build a script.
Thanks for pointing in the right direction.
It makes me understand the scripting way better, and I realy appreciate this.
#import the information from a csv
$Import = import-csv 'P:\Users\PieterB\Scripts\CSV\New-GMSA Account.csv' -Delimiter ";"
$domain = "cicwp-acc.nl"
$DC = Get-ADDomainController -server $domain -Filter * | ? {$_.OperationMasterRoles -contains 'infrastructuremaster'} | Select -exp Hostname
$Gmsa= foreach($account in $Import){
$Data = @{
Name = $account.Gmsa
Server =$DC
Displayname = $account.name
Description = $account.description + $account.wnr
DNSHostname = $account.name + $account.domain
KerberosEncryptionType = "AES128,AES256"
PrincipalsAllowedToRetrieveManagedPassword = $account.principal
Enabled = $true
Passthru = $true
Whatif = $false
}
#write-verbose -Verbose "creating user : " + $account.name
Foreach($entry in $data){
New-ADServiceAccount @Data
}
}#end foreach
start-sleep -Seconds 10
#add-A GMSA to a local administrator group
foreach($account in $gmsa){
add-ADPrincipalGroupMembership $account.name -Server $account.domain -MemberOf $account.Adgroup
}
#add comment for the change ticket
$Topdesk = "New-ADServiceAccount -Name $($account.name) -Server $($account.domain) –DisplayName $($account.name) –Description $($account.description) | $($account.WAnr) -DNSHostName $($account.DNSHostname) -KerberosEncryptionType AES128,AES256 –PrincipalsAllowedToRetrieveManagedPassword $($account.Principal) "
#For a better output in case of Multiple GMSA
$Newgmsa = $account.name
$accountlist = $newgmsa.getenumerator() |out-string
#final Output for the Change Ticket
$output = @()
$output += write-output "GMSA Account aangemaakt: $accountlist`n `n $Topdesk `n `n "
$output += "add the account(s) to $($Account.Adgroup)"
$output |set-clipboard