Create Muliple GMSA Accounts and add groupmembership

Good Morning ( In Holland it is )

I have a challenge with creating multiple GMSA Accounts>
Probably something I overlook or just not have the correct command or the loop needs some editing

Then it turns out , the servername is present in the domain, only the script cannot find the server.
Tried with servername and Servername$ , both come back with the same eror.

" Identity info provided in the extended attribute: ‘PrincipalsAllowedToRetrieveManagedPassword’ could not be resolved. Reason: ‘Cannot find an object with identity: ‘w1122a1142$’ under: ‘DC=name DC=pb’.’. At line:21 char:5 "

Last but not least :blush:
The new GMSA cannot be fount when I want to add it to AD groups.

To continue the work and it is just 1 account I do it manually, but of course this is not why we build a script.

Thanks for pointing in the right direction.
It makes me understand the scripting way better, and I realy appreciate this. :pray:

#import the information from a csv 
$Import = import-csv 'P:\Users\PieterB\Scripts\CSV\New-GMSA Account.csv' -Delimiter ";"
$domain = "cicwp-acc.nl"
$DC = Get-ADDomainController -server $domain -Filter * | ? {$_.OperationMasterRoles -contains 'infrastructuremaster'} | Select -exp Hostname

$Gmsa= foreach($account in $Import){
    $Data = @{
        Name = $account.Gmsa
        Server =$DC
        Displayname = $account.name
        Description = $account.description + $account.wnr
        DNSHostname = $account.name + $account.domain
        KerberosEncryptionType = "AES128,AES256"
        PrincipalsAllowedToRetrieveManagedPassword = $account.principal
        Enabled = $true
        Passthru = $true
        Whatif = $false
        }
              
    #write-verbose -Verbose "creating user : " + $account.name
        Foreach($entry in $data){
        New-ADServiceAccount @Data 
        }
         }#end foreach

        start-sleep -Seconds 10

#add-A GMSA to a local administrator group
foreach($account in $gmsa){
    add-ADPrincipalGroupMembership $account.name -Server $account.domain -MemberOf $account.Adgroup
           }

#add comment for the change ticket          
$Topdesk = "New-ADServiceAccount -Name $($account.name) -Server $($account.domain)  –DisplayName $($account.name) –Description $($account.description) | $($account.WAnr)  -DNSHostName $($account.DNSHostname) -KerberosEncryptionType AES128,AES256 –PrincipalsAllowedToRetrieveManagedPassword $($account.Principal) "

#For a better output in case of Multiple GMSA
$Newgmsa     = $account.name
$accountlist = $newgmsa.getenumerator() |out-string

#final Output for the Change Ticket
$output = @()
$output  += write-output "GMSA Account aangemaakt: $accountlist`n `n $Topdesk `n `n "
$output  += "add the account(s) to $($Account.Adgroup)"

$output |set-clipboard

Hmmm … looking at the documentation …

… the type of this parameter should be an [ADPrincipal[]]. You use the input directly from your CSV file. I’d expect this to be [String]. I’d try to query the desired account in advance and provide the object as the value for the paramter -PrincipalsAllowedToRetrieveManagedPassword.