Windows Server Managed Service Account Gotcha

There is a feature/bug in the Windows Server 2008 R2 managed service account PowerShell command that limits the account name to 15 characters or less.

First, let’s create a managed service account called SVC_SQL01_LongName using PowerShell. The service account is 18 characters long. You can run the following command on a Windows Server 2008 R2 domain controller, or a 2008 R2 member server which has the Active Directory Module for PowerShell installed. Make sure the PowerShell you open has the AD module loaded.

New-ADServiceAccount SVC_SQL01_LongName -Enabled $true -Path “CN=Managed Service Accounts,DC=contoso,DC=net” -ServicePrincipalNames “MSSQLSVC/SQL01.contoso.net:1433″ -TrustedForDelegation $True

Great, the account is created. Now, here comes the problem. Logon to the Server 2008 R2 member server which will be using the service account, say your SQL server. If your member server doesn’t have the AD PowerShell module, run the following Powershell commands:

Import-module servermanager Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

Then, close your PowerShell and from the Administrative tools open an Active Directory Module for Windows Powershell console and type:

Install-AdServiceAccount SVC_SQL01_LongName

It will fail with:

Install-ADServiceAccount : Cannot install service account. Error Message: ‘Unknown error (0xc0000017)’.At line:1 char:25+ install-adserviceaccount SVC_SQL01_LongName + CategoryInfo : WriteError: (SVC_SQL01_LongName:String) [Install- ADServiceAccount], ADException + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount

Doh..not good. Now, create another managed service account with a shorter name, say 15 characters long called SVC_001_SQL01_D. Run the install-adserviceaccount command again, and no error messages!

Make sure all of your managed service accounts are 15 characters or less. Microsoft has a nice and very detailed managed service accounts How-To you can find here. Nowhere does it mention a 15 character maximum, though. A more friendly blog post about managed service account best practices is here.

Print Friendly, PDF & Email

Related Posts

3
Leave a Reply

avatar
3 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Cloud Indonesia@Brironiccubeover Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
cubeover
Guest
cubeover

Thanks for the tip.

@Brironic
Guest

Any indication whether Group Managed Service Accounts (gMSAs) still have this limitation?

Cloud Indonesia
Guest

Do you know the repercussions if the default Managed Service Accounts container is moved elsewhere or deleted?Also, I have seen in my lab that the MSA container is available once a domain is brought up from scratch at Windows 2008 R2 functional level. Is this container also available if legacy domains are upgraded to Windows 2008 R2 ? Quick Check in Lab: a)Moved the MSA container under an OU (Test OU), so the new location of MSA container was MSATestdomain.com – Created a MSA object without any path and i could see that the MSA object got created in the… Read more »

Scroll to Top