Profile photo of Ingólfur Arnar Stangeland

Name Reference is invalid when creating Group-Managed Service Account with New-ADServiceAccount

Name Reference is Invalid

This tycically happens when running the Powershell CMDLet New-ADServiceAccount and the SPN you’re trying to add on the command line is either incorrectly formatted (backslash or forward-slash anyone?) or the container for it is missing in AD.  For confirmation run the command without the SPN and try adding the same within the ADSIEdit.msc console – you should see the error message above.

Resolution: fix the format of your SPN obviously 🙂

 

Recommend this excellent post from my former PFE colleagues for beefing up on GMSA in Windows Server 2012+:

Windows Server 2012: Group Managed Service Accounts
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

 

…and other more verbose but less focused Technet material if you want the whole book and not just the summary:

ms-DS-Group-Managed-Service-Account class
http://msdn.microsoft.com/en-us/library/windows/desktop/hh404221(v=vs.85).aspx

Group Managed Service Accounts Overview
http://technet.microsoft.com/en-us/library/hh831782.aspx