1

I have tried to look for the c# code example to see how the AD service account is created but not much luck. Anyone can provide an example code for creating AD service account please?

I have tried UserPrincipal with $ at the end of the name but not much luck. Errors with Access Denied (Cant create under root MyDomain or under a CN)

// Domain Context to use specific LDAP path.
domainContext = new PrincipalContext(ContextType.Domain, domainContext.ConnectedServer, "CN=Managed Service Accounts,dc=mydomain");
UserPrincipal userAccount = new UserPrincipal(domainContext)
{
  DisplayName = userName,
  SamAccountName = $"{userName}$",
  Description = description
};
userAccount.Save();
Jawad
  • 11,028
  • 3
  • 24
  • 37
  • What happens when you run the code above? Does anything happen? Is there any error? – mortb Mar 25 '19 at 14:57
  • When i try to run the above code, it errors with "Access is denied". Mostly because I cant create an account under "mydomain" directly or under the CN which is set up for MSAs. – Jawad Mar 25 '19 at 15:00
  • Seems to be an authorization issue – mortb Mar 25 '19 at 15:11
  • Are you able to create the account using powershell? https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj128431(v%3Dws.11) – mortb Mar 25 '19 at 15:11
  • I can create the accounts without any issues in powershell using new-adserviceaccount which maps the account under the CN=Managed Service Accounts. I wanted to find a native c# way of creating the account instead of calling powershell though. – Jawad Mar 25 '19 at 15:13
  • Is the C# program running as the same user as you run as in powershell? – mortb Mar 25 '19 at 15:15
  • I am using the same account in both powershell and c#. I am not sure if UserPrincipal is the right way to go about creating an AD Service Account though. – Jawad Mar 25 '19 at 15:16
  • Agree, it might be the wrong way. Sadly I don't know and I have not find any pages for creating ad service accounts in C# when googling – mortb Mar 25 '19 at 15:24
  • @MarcusLai did you happen to find a good C# solution? I am getting ready to go down this path and there is not much information. – Matt Sanders Nov 05 '19 at 05:18
  • Unfortunately I have not been able to find a solution purely in c#. I have a powershell invoke that does that for me now, which seems to be the only solution at this time – Jawad Nov 09 '19 at 15:55

1 Answers1

0

Little late, but I think I can answer it. You need to use the NetAddServiceAccount function through logoncli.dll. I hadn't been able to get it to work in PowerShell, even with adding what I thought was an appropriate type shim, but I just came across a module that seems to work.

https://github.com/beatcracker/Powershell-Misc/blob/master/Use-ServiceAccount.ps1

The C# code for the type definition in that script should have everything you need to implement it for yourself.

Jordan Mills
  • 86
  • 1
  • 2
  • Where does one find logoncli.dll ? Once found, how do you suggest its used in C# ? – Jawad Feb 25 '20 at 18:50
  • Same place you find most other system libraries. Try system32. You'll probably need to learn how to use win32 API calls in c#. If you have to ask... – Jordan Mills Apr 24 '20 at 17:28