When building repeatable SharePoint farms I need to quickly create new service accounts. Since there is no need for a SharePoint Farm to be built using a Domain Admin account, there is really no need for a SharePoint Consultant to ask for or be granted Domain Admin rights.
I spent a good portion of my career prior to SharePoint as a Domain Admin/AD Architect, and a good portion of that role is knowing that most people who ask for Domain Admin rights don’t actually need them.
If you want to start off on the right foot with the AD team in any company, tell them you do not want or need Domain Admin rights. Immediately you have more credibility with them than most other people.
As a result of this, I have put together an account creation script that I use and turn that over to the Domain Admins so that they can handle the creation for me. I simply list out the accounts that I want and then populate them into the following PowerShell:
$domainName = $env:USERDOMAIN
$LDAP = “LDAP://CN=Managed Service Accounts,DC=$domainName, DC=%local%“
$objCN = [ADSI]$LDAP
$objUser = $objCN.Create(“user”,“CN=%Friendly Name%“)
Using the $env:USERDOMAIN I am able to grab the current logged in domain context rather than having to specify it. Make sure that you change the last DC to the correct domain suffix (.com, .net, .org, etc). You will need to specify the %Friendly Name% & %SAMAccountName% that you are trying to create.
The code above will allow you to create accounts that are active immediately without additional intervention.
There are additional steps that need to be taken to grant rights for the User Profile Sync account and local Administrator rights that need to be granted to the Farm Admin account, but those will get covered in later posts.