Powershell – Active Directory – Account exists but cannot find it to remove it

active-directorypowershell

I'm trying to add an AD Managed Service Account and my first attempt was as follows:

New-ADServiceAccount -DNSHostName VM-Backup-Service -Name "VM Backup" -samAccountName VM_Backup -Path "OU=AD_Managed_Service_Accounts,DC=company,DC=local"

This command basically hung, I think because I pointed DNSHostName to something non-existent because I didn't do enough reading. I then tried to correct it and point it at the master DC using it's FQDN:

New-ADServiceAccount -DNSHostName AUDC.company.local -Name "VM Backup" -SamAccountName VM_Backup -Path "OU=AD_Managed_Service_Accounts,DC=company,DC=local"

The problem I have now is that AD says the account already exists:

New-ADServiceAccount : The specified account already exists

Which would be no big problem, if I could actually find said account in order to remove it before re-adding it correctly. I've tried tracking it down with:

Get-ADServiceAccount -filter 'samAccountName -like "*VM_Backup*"'
Get-ADUser -filter 'samAccountName -like "*VM_Backup*"'

And the following returns nothing, which implies there are no Service Accounts in the domain?

Get-ADServiceAccount -filter *

If anyone has suggestions for ways to track it down, it would be much appreciated. The only hints I have is that I know I specified the samAccountName in the commands above, and the snippet of the CN=VM Backup that is returned when it says the account already exists:

New-ADServiceAccount : The specified account already exists
At line:1 char:1
+ New-ADServiceAccount -DNSHostName yyy-server-001.companydomain.local  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (CN=VM Backup,OU...ompany,DC=local:String) [New-ADServiceAccount], ADIde
   ntityAlreadyExistsException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAcc
   ount

Best Answer

So I believe there were multiple parts to solving this:

  1. It appears that I needed to have the DC in the default "Domain Controllers" OU (not in a sub/child OU, as per this link: https://social.technet.microsoft.com/Forums/office/en-US/3bbc81de-83fb-4c40-8a03-e03ede1a458b/group-managed-service-accounts-causing-delays-freezes-lock-ups-and-service-outages?forum=winserverDS). Supposedly Microsoft have resolved that issue (https://support.microsoft.com/en-us/kb/3094486), so maybe only point 2 below is relevant, but I did both so I figured I would mention it here.

  2. The DC had only recently been rebuilt (following an AD corruption). Turns it it allows time for convergence between DC's before allowing service accounts to be created (https://social.technet.microsoft.com/Forums/windows/en-US/82617035-254f-4078-baa2-7b46abb9bb71/newadserviceaccount-key-does-not-exist?forum=winserver8gen). As there was only one DC in this environment, convergence was not an issue, so I ran the command suggested in the article (as per below). Either this step alone, or in concert with step 1, was sufficient to resolve the issue. Why AD thought the object existed prior to these steps rather than just rejecting the command outright, I have no clue.

    Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

Related Topic