Create SharePoint service accounts with PowerShell

There are a few of these scripts around to create SharePoint service accounts with PowerShell but I decided to create a new one as SharePoint 2019 is coming with a bit more functionality and error handling.
A good blog about the different service accounts needed can be found at https://absolute-sharepoint.com/2017/03/sharepoint-2016-service-accounts-recommendations.html
The general recommendation in this blog is to use different service accounts for each environment which can be easily done with this script.

Using the script

The script needs the activedirectory module to function correctly.
Please install the Active Directory management tools to be able to use this module.
I recommend running this script on the domain controller or a management server with sufficient permissions.

PowerShell Gallery

The script has been uploaded to the PowerShell Gallery.
Start PowerShell as an administrator on a server/computer and run the following command:

Install-Script -Name Add-ServiceAccounts

image_thumb

Press Y if you want to add the default imported scripts location to the PATH environment variable.

image_thumb-1

Press Y to install and import the NuGet provider now as this is a “clean” server installation.

image_thumb2

Press Y to install the scripts from the PSGallery and the script will be saved on the default location C:\Program Files\WindowsPowerShell\Scripts.
I always recommend first reading through the .ps1 file if you haven’t already read it at the PowerShell Gallery page.

You can now run the following command to create the service accounts:

Add-ServiceAccounts -OU "OU=Service Accounts,OU=SPFire,DC=sharepointfire,DC=com" -UPNSuffix "SharePointFire.com" -Prefix "SA_SP2019" -LogPath "C:\Install"

image_thumb3

The service accounts have been created in the specified location

image_thumb4

You can also verify the log file and add the passwords to your password database.

image_thumb5

Copy / Paste

The other option is to just copy and paste the below code in PowerShell as administrator.
Please note that the below script may not be the latest version as the PowerShell Gallery script will always be more updated!
You can add additional users easier this way by simply updating the $Accounts variable with more users.

<#PSScriptInfo .VERSION 2.3 .GUID a8d133a6-dc3b-4dbf-a6f5-1ea8abcbb7bd .AUTHOR Maarten Peeters - SharePointFire - https://sharepointfire.com .COMPANYNAME SharePointFire .COPYRIGHT .TAGS SharePoint, Active Directory, Service Accounts .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES ActiveDirectory .RELEASENOTES Version 1.0: Original published version. Version 2.0: Removed function Version 2.1: Changed Admin to Install Version 2.2: Fixed A positional parameter cannot be found that accepts argument Version 2.3: Fixed A positional parameter cannot be found that accepts argument #> 

<# .SYNOPSIS Simple Function to create needed SharePoint service accounts .DESCRIPTION Simple Function to create needed SharePoint service accounts. Each service account will receive an unique password. .PARAMETER OU Enter the full path to the OU where to add the service accounts. For example: OU=Service Accounts,OU=SPFire,DC=sharepointfire,DC=com .PARAMETER UPNSuffix Enter the UPNSuffix to be used during creation For example: sharepointfire.com .PARAMETER Prefix Specify the prefix to be used for the service accounts. For example: SA_SP2019 which will create service accounts like SA_SP2019Farm and SA_SP2019Install .PARAMETER LogPath Enter the full path to store a .csv file (; delimited) of the created service accounts with their unique password For example: C:\Install .EXAMPLE Add-ServiceAccounts.ps1 -OU "OU=Service Accounts,OU=SPFire,DC=sharepointfire,DC=com" -UPNSuffix "SharePointFire.com" -Prefix "SA_SP2019" -LogPath "C:\Install" .NOTES Version: 2.3 Author: Maarten Peeters Creation Date: 29-07-2018 Purpose/Change: Fast creation of Service Accounts #>

param(
    [Parameter(mandatory=$true)]
    [string] $OU,
    [Parameter(mandatory=$true)]
    [string] $UPNSuffix,
    [Parameter(mandatory=$true)]
    [string] $Prefix,
    [Parameter(mandatory=$true)]
    [string] $LogPath
)

#Array of accounts to be created. Add names if needed as for example Visio Unattented userID
$Accounts = "Install", "Farm", "Services", "Pool", "MySitePool", "Crawl", "Sync", "C2WTS", "SU", "SR"

try{
    #Verify if Active Directory Module is available
    if (Get-Module -ListAvailable -Name activedirectory) {
        #Import Active Directory Module
        import-module activedirectory -ErrorAction SilentlyContinue

        #Verify if the OU exists
        if(get-adorganizationalunit -Filter { DistinguishedName -eq $OU }) {

            #Test if logpath exists
            If(Test-Path $LogPath) { 
                #Loop through all accounts and create them
                foreach($Account in $Accounts){
                    $Password = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..16 | Sort-Object {Get-Random})[0..15] -join ''
                    New-ADUser -Name "$($Prefix)$($Account)" -SamAccountName "$($Prefix)$($Account)" -DisplayName "$($Prefix)$($Account)" -UserPrincipalName "$($Prefix)$($Account)@$($UPNSuffix)" -Path $OU -Enabled $true -ChangePasswordAtLogon $false -PasswordNeverExpires $true -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -force) -PassThru | out-null
                    $Log += "$($Prefix)$($Account);$($Password) `n"
                }
                $Log | out-file -FilePath "$($LogPath)\SharePointAccounts$((get-date).tostring('sshhMMddyyyy')).csv"
                Write-Host "Accounts created and log located on $($LogPath)" -foregroundcolor green
            } Else { 
                Write-Host "The path $($LogPath) could not be found. Please enter a correct path to store the passwords" -foregroundcolor yellow
            }
        }  else  {
            Write-Host "The OU $($OU) could not be found. Please enter a correct OU to store the accounts" -foregroundcolor yellow
        }
    } else {
        Write-Host "Active Directory module not loaded. Please install Active Directory Management Tools" -foregroundcolor yellow
    }
}
catch{
    write-host "Error occurred: $($_.Exception.Message)" -foregroundcolor red
}

SNAGHTML5e4efe7_thumb1

You will need to enter the parameters used for this script.

image_thumb20

And these accounts will also be created correctly

image_thumb10

With their unique passwords

image_thumb11

The website cannot display the page @ SharePoint due to Group Policy settings

This error (The website cannot display the page) can be thrown due to a number of reasons but I’ll will show the issue and solution we had after a few SharePoint 2013 installations.

Issue

We installed SharePoint 2013 correctly and verified if everything was up and running. The databases and websites were online and Central Administration was working. We only got the below error while browsing to our Web Applications.

image

We found the following errors in the ULS logging using ULSViewer.

Application error when access /SitePages/Home.aspx, Error=The given assembly name or codebase, ‘C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll’, was invalid.
at System.ServiceModel.Activation.ServiceHttpModule.BeginProcessRequest(Object sender, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.HttpApplication.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

System.IO.FileLoadException: The given assembly name or codebase, ‘C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll’, was invalid.
at System.ServiceModel.Activation.ServiceHttpModule.BeginProcessRequest(Object sender, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.HttpApplication.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Access Denied. Exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:
at Microsoft.SharePoint.Library.SPRequestInternalClass.PreInitServer(String bstrAbsoluteRequestUrl, String bstrServerRelativeUrl, Int32 lZone, Guid gApplicationId, Guid gSiteId, Guid gDatabaseId, String bstrDatabaseServer, String bstrDatabaseName, String bstrDatabaseUsername, String bstrDatabasePassword, Boolean fHostHeaderIsSiteName, String bstrAppHostHeaderRedirectDomain, Boolean fAppWebRequest, String bstrAppDomain, String bstrRequestAppWebDomainId, String bstrAppSiteDomainPrefix, Int32 iDatabaseVersionMajor, Int32 iDatabaseVersionMinor, Int32 iDatabaseVersionBuild, Int32 iDatabaseVersionRevision)
at Microsoft.SharePoint.Library.SPRequest.PreInitServer(String bstrAbsoluteRequestUrl, String bstrServerRelativeUrl, Int32 lZone, Guid gApplicationId, Guid gSiteId, Guid gDatabaseId, String bstrDatabaseServer, String bstrDatabaseName, String bstrDatabaseUsername, String bstrDatabasePassword, Boolean fHostHeaderIsSiteName, String bstrAppHostHeaderRedirectDomain, Boolean fAppWebRequest, String bstrAppDomain, String bstrRequestAppWebDomainId, String bstrAppSiteDomainPrefix, Int32 iDatabaseVersionMajor, Int32 iDatabaseVersionMinor, Int32 iDatabaseVersionBuild, Int32 iDatabaseVersionRevision).

After investigation we found out that the customer controls a lot using group policies and we verified a few policies with a working SharePoint 2013 environment.

Problem

The customer had removed the local group IIS_IUSRS from the group policy ‘Impersonate a client after authentication’ under Local Policies –> User Rights Assignment.

image

Central Administration was working correctly because the farm account was still present and because the farm account is member of the local administrator group.

Solution

We added IIS_IUSRS back to this policy and performed an IISReset. All Web Applications were up and running after the reset.

image

 

There are currently no logon servers available to service the logon request

We restarted a domain controller and we encountered the following error

image

There are currently no logon servers available to service the logon request

Issue

The server was rebooted into “safe mode” after the restart and we could no longer log on using our domain admin accounts or connect to the DC using the member servers.

Solution

Logon to the domain controller using the DSRM credentials

image

Start the System Configuration (msconfig) and navigate to Boot

image

Deselect ‘Safe boot’

image

Click on Apply

image

Restart the server and afterward you can logon to the domain controller and verify if the Domain Services are running

image