How to use long names to refer to Group Managed Service Accounts (gMSA)

active-directorywindows-server-2012

Commonly domain user accounts are used as service accounts. With domain user accounts, the username can easily be as long as 64 characters as long as the User Principal Name (UPN) is used to refer to the account, eg longusername@mydomainfqdn.domainsuffix. If you still use the legacy pre-Windows 2000 names (SAM) you have to truncate it to ~20 characters, eg mydomain\truncname.

When using the New-ADServiceAccount PowerShell cmdlet to create a new Group Managed Service Account (gMSA) and a name longer than 15 characters is specified, an error is returned. To specify a longer name, the SAM name must be specified separately, eg:

New-ADServiceAccount -Name longname -SamAccountName truncname ...

To configure a service to run as the new gMSA, I can use the legacy username format mydomain\truncname$ but using usernames with a maximum of 15 characters in 2013 is a smell.

How do I refer to a gMSA using the UPN-style format instead?

I tried the longname$@domainfqdn approach but that didn't work. It also seems that the gMSA object in AD doesn't have a userPrincipalName attribute value specified.

Best Answer

Commonly domain user accounts are used as service accounts.

Yes, and no. Domain user accounts are commonly used as service logon accounts. This specific use of user accounts is not really the same as a Managed Service Account.


Anyways, the Managed Service Account object class does in fact have a userPrincipalName, but it doesn't seem to get populated by default when you create a new managed service account.

The New-ADServiceAccount cmdlet accepts a parameter called OtherAttributes which allows you to set account attributes by LDAP Display Name:

New-ADServiceAccount -Name longName -sAMAccountName truncname -OtherAttributes @{'userPrincipalName'="longname@my.upn.suffix.com"}