Windows Server Managed Service Account Gotcha

There is a feature/bug in the Windows Server 2008 R2 managed service account PowerShell command that limits the account name to 15 characters or less.

First, let’s create a managed service account called SVC_SQL01_LongName using PowerShell. The service account is 18 characters long. You can run the following command on a Windows Server 2008 R2 domain controller, or a 2008 R2 member server which has the Active Directory Module for PowerShell installed. Make sure the PowerShell you open has the AD module loaded.

New-ADServiceAccount SVC_SQL01_LongName -Enabled $true -Path “CN=Managed Service Accounts,DC=contoso,DC=net” -ServicePrincipalNames “MSSQLSVC/SQL01.contoso.net:1433″ -TrustedForDelegation $True

Great, the account is created. Now, here comes the problem. Logon to the Server 2008 R2 member server which will be using the service account, say your SQL server. If your member server doesn’t have the AD PowerShell module, run the following Powershell commands:

Import-module servermanager Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

Then, close your PowerShell and from the Administrative tools open an Active Directory Module for Windows Powershell console and type:

Install-AdServiceAccount SVC_SQL01_LongName

It will fail with:

Install-ADServiceAccount : Cannot install service account. Error Message: ‘Unknown error (0xc0000017)’.At line:1 char:25+ install-adserviceaccount SVC_SQL01_LongName + CategoryInfo : WriteError: (SVC_SQL01_LongName:String) [Install- ADServiceAccount], ADException + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount

Doh..not good. Now, create another managed service account with a shorter name, say 15 characters long called SVC_001_SQL01_D. Run the install-adserviceaccount command again, and no error messages!

Make sure all of your managed service accounts are 15 characters or less. Microsoft has a nice and very detailed managed service accounts How-To you can find here. Nowhere does it mention a 15 character maximum, though. A more friendly blog post about managed service account best practices is here.

Print Friendly, PDF & Email

Related Posts

Subscribe
Notify of
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
cubeover
October 5, 2014 10:28 pm

Thanks for the tip.

April 15, 2015 7:34 am

Any indication whether Group Managed Service Accounts (gMSAs) still have this limitation?

August 7, 2017 11:22 pm

Do you know the repercussions if the default Managed Service Accounts container is moved elsewhere or deleted?Also, I have seen in my lab that the MSA container is available once a domain is brought up from scratch at Windows 2008 R2 functional level. Is this container also available if legacy domains are upgraded to Windows 2008 R2 ? Quick Check in Lab: a)Moved the MSA container under an OU (Test OU), so the new location of MSA container was MSATestdomain.com – Created a MSA object without any path and i could see that the MSA object got created in the… Read more »