New-ADUser, Error during Setting Service Principal Names

Question

I am trying to script new user creation process on windows servers and one part of this script is to set SPN records for that particular user. But I keep getting error "New-ADUser: The name reference is invalid" when I try to put the SPN parameter with values. I am trying to follow an example from Microsoft website (Link) Any help will be appreciated.

It works fine if I remove ServicePrincipalNames parameter itself.

Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
$properties=@{
    Name="SQL Service Account For $customerName"
    DisplayName= "SQL Service Account For $customerName"
    ServicePrincipalNames= @{Add="MSSQLSvc\'$dbServerName.$domainName':1433","MSSQLSvc\'$dbServerName':1433"}
    Description= "SQL Service Account For $customerName"
    UserPrincipalName= "$sqlUser@$domainName"
    GivenName= "SQL Service Account For"
    Surname= "$customerName"
    SamAccountName= $sqlUser
    AccountPassword= $pwdsql
    Path= $path
    LogonWorkstations= $dbServerName
    TrustedForDelegation= $true
    Enabled= $True
    Credential= $credential
    PasswordNeverExpires= $True
    CannotChangePassword= $True
  }


New-ADUser @properties

Thanks,

Rahul

Remove the single quotes from the SPNs, make it a single comma-separated string in double quotes. — Ansgar Wiechers, Mar 26 '16 at 01:44
@AnsgarWiechers, Tried that but doesn't work. I still get the same error. Isn't it supposed to work either ways? — r4hul, Mar 28 '16 at 18:39
@AnsgarWiechers, so it works if I also remove "@{Add=...". Also changed the string in this way to avoid problems with ":" and changed "\" to "/" and it creates SPN now. Still wondering which one is the correct format. — r4hul, Mar 28 '16 at 19:12
The correct format is [documented](https://technet.microsoft.com/en-us/library/cc961723.aspx). And yes, it's supposed to be a forward slash. I missed that in my response. — Ansgar Wiechers, Mar 28 '16 at 19:21

score 0 · Answer 1 · answered Mar 28 '16 at 20:06

So here is how I got to make it work. I am not sure if this will work in all the cases but works fine with my case for now. I changed Service Principal Name input in the following way:

ServicePrincipalNames= "MSSQLSvc/${dbServerName}.${domainName}:1433", "MSSQLSvc/${dbServerName}:1433"

This creates two separate entries on SPN records. If you put a single comma separated string it will create on single entry with two comma separated items.

Please let me know if someone has any idea of why it works this way and not the way shown on Microsoft Url I mentioned in my question. Thanks.

I checked this yesterday, and my best guess is that because it's the New-ADUser cmdlet, there is no need for the verbs (Add, Remove, Replace) in the hash table for the parameter: Since the object did not previously exist, the only reasonable option is to add the values to the newly created object. It looks like the documentation is incoorectly simply copied from the Set-ADUser cmdlet. — Eelco L., Mar 29 '17 at 09:06

New-ADUser, Error during Setting Service Principal Names

1 Answers1