Name Reference is invalid when creating Group-Managed Service Account with New-ADServiceAccount

Name Reference is Invalid

This tycically happens when running the Powershell CMDLet New-ADServiceAccount and the SPN you’re trying to add on the command line is either incorrectly formatted (backslash or forward-slash anyone?) or the container for it is missing in AD.  For confirmation run the command without the SPN and try adding the same within the ADSIEdit.msc console – you should see the error message above.

Resolution: fix the format of your SPN obviously 🙂


Recommend this excellent post from my former PFE colleagues for beefing up on GMSA in Windows Server 2012+:

Windows Server 2012: Group Managed Service Accounts


…and other more verbose but less focused Technet material if you want the whole book and not just the summary:

ms-DS-Group-Managed-Service-Account class

Group Managed Service Accounts Overview