hello, what user permissions/rights do I need to install an AD managed service account on a member server with the Install-ADServiceAccount. The account has been created in AD, still remains in the default "Managed Service Accounts" container, and has been linked to the appropriate computer object. The SAM account name is only 12 characters long. On the member server, I have tried to Install-ADServiceAccount. The power shell was running under account which is member of "Domain Users" and also LOCAL Administrators, but it failes with the 0xC0000022 error. Get-ADServiceAccount works fine from the member server. ondrej.

Hi "Install-ADServiceAccount" contains register/change SPN operation, and SPN operation require Domain Administrator permissions or delegation. You can try to delegate Write permission to this Domain User on the Managed Service Account to test. ThanksThis posting is provided "AS IS" with no warranties, and confers no rights.

thank you very much. I am just in the process of identifying the required attributes that must be delegated to the service admin so that the installation works with least privilege possible. ondrej.

thank you very much. I am just in the process of identifying the required attributes that must be delegated to the service admin so that the installation works with least privilege possible. ondrej. Did you ever figure out what permissions are required to grant the admin? I ran into the same problem as you and found this thread. I was able to install the service account, but I did it with domain administrator permissions. I suppose Account Operator will work as well, but I only want to grant the minimum.

Nevermind. I figured out the permissions needed to modify the Managed Service Account. The account needs "Reset Password" and "Write account restrictions". Here are the dsacls commands to grant those: dsacls.exe "CN=SVC-SQL1,CN=Managed Service Accounts,DC=mydomain,DC=com" /G "MYDOMAIN\SQL1-Admin:WP;Account Restrictions" dsacls.exe "CN=SVC-SQL1,CN=Managed Service Accounts,DC=mydomain,DC=com" /G "MYDOMAIN\SQL1-Admin:CA;Reset Password"