Friday, 8 October 2010

Automated SharePoint 2010 AD service accounts creation using PowerShell

As I don’t really enjoy repetitive tasks, I decided to put a quick PowerShell script together to create the AD service accounts required for SharePoint 2010.
The required accounts are:
  • svc_spFarm (Server farm account or database access account)
  • svc_spAdmin (Setup user account Install Account)
  • svc_caAppPool (Application Pool Identity for Central Administration web application)
  • svc_portalAppPool (Application Pool Identity for Portal web application)
  • svc_myAppPool (Application pool Identity for my sites host web application)
  • svc_spUPS (User Profile Synchronisation with AD)
  • svc_spUPAPool (User Profile Services Application Pool account)
  • svc_spSearch (This is the Windows Service account for the SharePoint Server Search Service. This setting affects all Search Service Applications in the farm)
  • svc_spCrawl (Content Access account)
  • svc_spSearchAP (Enterprise Search Application Pool Identity)
  • svc_spSearchAdmAP (Enterprise Search Admin component Application Pool Identity)
  • svc_fsSearch (Foundation server search account)
  • svc_fsCrawl (Foundation server crawl account)
  • svc_spSandbox (Sandbox service service account)
  • svc_WebAnalytics (SharePoint Web Analytics service account)
  • svc_SecureStore (Secure Store Application Pool service account)
  • svc_spSTSAcct (Security Token Service Application)
  • svc_spMetadata (Managed Metadata Service Account)
(Other accounts may be required depending on services running on the farm such as InfoPath services, Visio, etc…)
Please note The following additional domain , local and SQL permissions / roles are required:
Member of the Local Administrators group.
SQL Server login on the computer that runs SQL Server.
Member of the following SQL Server security roles:
    · securityadmin fixed server role
    · dbcreator fixed server role
    · sysAdmin fixed server role (during installation using PowerShell only)
Member of the Local Administrators group during the user profile services configuration only.
AD Delegate rights for Replication Directory Changes permissions
The PowerShell command takes a csv file containing the following headings:
  • samAccountName   
  • userPrincipalName
  • cn
  • givenName
  • Password
  • description
Copy and paste the following into a csv file called acc.csv (ideally this needs to be an XML):
svc_spAdmin,svc_spAdmin@domainName.FQDN,svc_spAdmin,accountPassword,The Setup user account is used to Setup SharePoint Products Configuration
svc_spFarm, svc_spFarm@domainName.FQDN,svc_spFarm,accountPassword,The server farm account is used to Run the Microsoft SharePoint Foundation and workflow Timer ServiceWizard
svc_caAppPool,svc_caAppPool@domainName.FQDN,svc_caAppPool,accountPassword,Application Pool Identity for Central Administration web application
svc_portalAppPool,svc_portalAppPool@domainName.FQDN,svc_portalAppPool,accountPassword,Application Pool Identity for Portal web application
svc_myAppPool, svc_spAppPool@domainName.FQDN,svc_myAppPool,accountPassword,Application pool Identity for my sites host web application
svc_spUPS,svc_myAppPool@domainName.FQDN,svc_spUPS,accountPassword,User Profile Synchronisation with AD
svc_spUPAPool,svc_spUPAPool@domainName.FQDN,svc_spUPAPool,accountPassword,User Profile Services Application Pool account
svc_spSearch, svc_spSearch@domainName.FQDN,svc_spSearch,accountPassword,This is the Windows Service account for the SharePoint Server Search Service. This setting affects all Search Service Applications in the farm
svc_spCrawl, svc_spCrawl@domainName.FQDN,svc_spCrawl,accountPassword,Content Access account
svc_spSearchAP,svc_spSearchAP@domainName.FQDN,svc_spSearchAP,accountPassword,Enterprise Search Application Pool Identity
svc_spSearchAdmAP,svc_spSearchAdmAP@domainName.FQDN,svc_spSearchAdmAP,accountPassword,Enterprise Search Admin component  Application Pool Identity
svc_fsSearch,svc_fsSearch@domainName.FQDN,svc_fsSearch,accountPassword,Foundation server search account
svc_fsCrawl,svc_fsCrawl@domainName.FQDN,svc_fsCrawl,accountPassword,Foundation server crawl account
svc_spSandbox,svc_spSandbox@domainName.FQDN,svc_spSandbox,accountPassword,Sandbox service application service account
svc_WebAnalytics,svc_WebAnalytics@domainName.FQDN,svc_WebAnalytics,accountPassword,SharePoint Web Analytics service account
svc_SecureStore,svc_SecureStore@domainName.FQDN,svc_SecureStore,accountPassword,Secure Store Application Pool service account
svc_spSTSAcct,svc_spSTSAcct@domainName.FQDN,svc_spSTSAcct,accountPassword,Security Token Service Application
svc_spMetadata,svc_spMetadata@domainName.FQDN,svc_spMetadata,accountPassword,Managed Metadata Service Account
…and now the magical one-line PowerShell command, this needs to run using the Active Directory module for Windows PowerShell.
The Active Directory module for Windows PowerShell in Windows Server® 2008 R2 is a Windows PowerShell module (named ActiveDirectory) that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory® domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
You can install the Active Directory module by using any of the following methods:
  • By default, on a Windows Server 2008 R2 server when you install the AD DS or AD LDS server roles
  • By default, when you make a Windows Server 2008 R2 server a domain controller by running Dcpromo.exe
  • As part of the Remote Server Administration Tools (RSAT) feature on a Windows Server 2008 R2 server
  • As part of the RSAT feature on a Windows 7 computer
Start Active Directory module for Windows PowerShell and type the following:
Import-Csv acc.csv | ForEach-Object { New-ADuser -Path 'OU=Service Accounts,DC=dev,DC=local' -Name $_.samAccountName -samAccountName $_.samAccountName -userPrincipalName $_.userPrincipalName -GivenName $ -description $_.description -PasswordNeverExpires $True -CannotChangePassword $True -Enabled $true -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)}
in the above script I have an OU called “Service Accounts” and my domain name is “dev.local”

1 comment:

Ashkan Jabbari said...

Script updated to include:

-PasswordNeverExpires $True
-CannotChangePassword $True
-Enabled $true