When using the PowerShell Cmdlets for creating and installing Managed Service Accounts, certain errors can be thrown. What does each error mean?
Asked
Active
Viewed 2,097 times
2 Answers
1
New-ADServiceAccount
The name provided is not a properly formed account name
The SAM account name exceeds the 20 character limit. A $ is automatically appended when missing and counts towards this limit.
Examples:
New-ADServiceAccount abcdefghijklmno -SamAccountName abcdefghijklmnopqrst
New-ADServiceAccount abcdefghijklmnopqrs -SamAccountName abcdefghijklmnopqrst
New-ADServiceAccount abcdefghijklmnopqrst -SamAccountName abcdefghijklmnopqrst
Install-ADServiceAccount
Cannot install service account. Error Message: 'Unknown error (0xc0000022)'.
Right click on the PowerShell shortcut and choose Run as Administrator.
Cannot install service account. Error Message: 'Unknown error (0xc0000106)'.
The SAM account name is within the 20 character limit, but its full name exceeds this limit.
Examples:
New-ADServiceAccount abcdefghijklmnopqrst -SamAccountName abcdefghijklmno
New-ADServiceAccount abcdefghijklmnopqrst -SamAccountName abcdefghijklmnopqrs
Cannot install service account. Error Message: 'Unknown error (0xc0000017)'.
The full name and the SAM account name are within the 20 character limit, but both of them exceed the NetLogon 15 characters limit.
Examples:
New-ADServiceAccount abcdefghijklmnopqrs -SamAccountName abcdefghijklmnopqrs
Cannot install service account. Error Message: 'Unknown error (0xc0000225)'.
The full name and the SAM account name are within the 20 character limit, but one of them exceeds the NetLogon 15 character limit.
Examples:
New-ADServiceAccount abcdefghijklmno -SamAccountName abcdefghijklmnopqrs
New-ADServiceAccount abcdefghijklmnopqrs -SamAccountName abcdefghijklmno
Sources used in addition to own research:
-
I've tested above findings multiple times, so there shouldn't be any mistake. If you do find a mistake, please let me know. – Stijn Apr 01 '14 at 13:31
1
I spent hours trying to figure out what this message meant:
Cannot install service account. Error Message: '{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.
Install-ADServiceAccount (Get-ADServiceAccount msa_test1)
Install-ADServiceAccount : Cannot install service account. Error Message: '{Not Enough Quota}
Not enough virtual memory or paging file quota is available to complete the specified operation.'.
At line:1 char:1
+ Install-ADServiceAccount (Get-ADServiceAccount msa_test1)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (msa_test1:String) [Install-ADServiceAccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
irectory.Management.Commands.InstallADServiceAccount
This error message is completely misleading. The cause of the message was:
The server on which I was executing Install-ADServiceAccount already had another MSA installed. This other MSA had a cn attribute that did not exactly match the sAMAccountName attribute.
Make sure that for all MSA's:
- the MSA
cndoes not end with$ - the MSA
cnmatches exactly thesAMAccountName
Serge
- 111
- 5
-
In my case the **CN** did not have to match the sAMAccountName, but it had to be **15 characters or less**. What was really puzzling was that Install-ADServiceAccount worked on *some* computers, but failed on others, with no obvious configuration differences. So, this naming scheme: cn = `MyApplication Workstation HQnn`, sAMAccountName = `svc-myappwknn` worked on some but failed on others, while cn = `MyAppWK HQnn`, sAMAccountName = `svc-myappwknn` worked everywhere. – Jakub Berezanski Mar 29 '18 at 11:54
-
See also: https://www.derekseaman.com/2010/02/server-2008-r2-managed-service-account.html – Jakub Berezanski Mar 29 '18 at 12:00