What do the error messages and codes mean when creating and installing Managed Service Accounts?
When using the PowerShell Cmdlets for creating and installing Managed Service Accounts, certain errors can be thrown. What does each error mean?
New-ADServiceAccount
The name provided is not a properly formed account name
The SAM account name exceeds the 20 character limit. A $ is automatically appended when missing and counts towards this limit.
Examples:
New-ADServiceAccount abcdefghijklmno -SamAccountName abcdefghijklmnopqrst
New-ADServiceAccount abcdefghijklmnopqrs -SamAccountName abcdefghijklmnopqrst
New-ADServiceAccount abcdefghijklmnopqrst -SamAccountName abcdefghijklmnopqrst
Install-ADServiceAccount
Cannot install service account. Error Message: 'Unknown error (0xc0000022)'.
Right click on the PowerShell shortcut and choose Run as Administrator.
Cannot install service account. Error Message: 'Unknown error (0xc0000106)'.
The SAM account name is within the 20 character limit, but its full name exceeds this limit.
Examples:
New-ADServiceAccount abcdefghijklmnopqrst -SamAccountName abcdefghijklmno
New-ADServiceAccount abcdefghijklmnopqrst -SamAccountName abcdefghijklmnopqrs
Cannot install service account. Error Message: 'Unknown error (0xc0000017)'.
The full name and the SAM account name are within the 20 character limit, but both of them exceed the NetLogon 15 characters limit.
Examples:
New-ADServiceAccount abcdefghijklmnopqrs -SamAccountName abcdefghijklmnopqrs
Cannot install service account. Error Message: 'Unknown error (0xc0000225)'.
The full name and the SAM account name are within the 20 character limit, but one of them exceeds the NetLogon 15 character limit.
Examples:
New-ADServiceAccount abcdefghijklmno -SamAccountName abcdefghijklmnopqrs
New-ADServiceAccount abcdefghijklmnopqrs -SamAccountName abcdefghijklmno
Sources used in addition to own research:
- How can I use New-ADServiceAccount with a name of more than 19 characters?
- http://mikefrobbins.com/2011/02/17/managed-service-accounts/
- http://www.derekseaman.com/2010/02/server-2008-r2-managed-service-account.html
I spent hours trying to figure out what this message meant:
Cannot install service account. Error Message: '{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.
Install-ADServiceAccount (Get-ADServiceAccount msa_test1)
Install-ADServiceAccount : Cannot install service account. Error Message: '{Not Enough Quota}
Not enough virtual memory or paging file quota is available to complete the specified operation.'.
At line:1 char:1
+ Install-ADServiceAccount (Get-ADServiceAccount msa_test1)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (msa_test1:String) [Install-ADServiceAccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
irectory.Management.Commands.InstallADServiceAccount
This error message is completely misleading. The cause of the message was:
The server on which I was executing Install-ADServiceAccount already had another MSA installed. This other MSA had a cn attribute that did not exactly match the sAMAccountName attribute.
Make sure that for all MSA's:
- the MSA
cndoes not end with$ - the MSA
cnmatches exactly thesAMAccountName