Create FIM 2010 CM service accounts using PowerShell

During a recent customer case I created a small PowerShell script that creates all the service accounts used by FIM 2010 CM and configures the required SPN and delegation for Kerberos to work.

In the script just replace the initial parameters with your own before running it.
The script will prompt for the password to use for each of the accounts as it runs.
You can also download the script here.

#Script needs to run as domain admin on computer with AD DS Admin Tools.
$FIMCMUPNDomain = "ad.company.com"
$IssuingCA = "ca01"
$OU = "OU=ServiceAccounts,DC=ad,DC=company,DC=com"
$FIMCMPortalHostname = "cm.company.com"
$FIMCMPool = "svcFIMCMPool"
$FIMCMAgent = "svcFIMCMAgent"
$FIMCMEnrollAgent = "svcFIMCMEnrollAgent"
$FIMCMKRAgent = "svcFIMCMKRAgent"
$FIMCMAuthZAgent = "svcFIMCMAuthZAgent"
$FIMCMCAMngr = "svcFIMCMCAMngr"
$FIMCMService = "svcFIMCMService"

#FIM CM Pool
New-ADUser $FIMCMPool -SamAccountName  $FIMCMPool -GivenName FIMCM -Surname Pool -DisplayName "FIM CM Pool" -UserPrincipalName $FIMCMPool@$FIMCMUPNDomain -Path $OU -Description  "Application pool account for FIM CM Portal, cm.company.com" -AccountPassword (Read-Host -AsSecureString "$FIMCMPool Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled  $true

#Kerberos settings
#SPN
SETSPN -S http/$FIMCMPortalHostname $FIMCMPool
#Delegation for rpcss/issuingca
Get-ADUser $FIMCMPool| Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="rpcss/$IssuingCA","rpcss/$IssuingCA.$FIMCMUPNDomain"}

#FIM CM Agent.
New-ADUser $FIMCMAgent -SamAccountName $FIMCMAgent -GivenName FIMCM -Surname Agent -DisplayName "FIM CM Agent" -UserPrincipalName $FIMCMAgent@$FIMCMUPNDomain -Path $OU -Description  "FIM CM Agent account" -AccountPassword (Read-Host -AsSecureString "$FIMCMAgent Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled  $true

#FIM CM Enrollment Agent
New-ADUser $FIMCMEnrollAgent -SamAccountName $FIMCMEnrollAgent -GivenName FIMCM -Surname EnrollAgent -DisplayName "FIM CM Enroll Agent" -UserPrincipalName $FIMCMEnrollAgent@$FIMCMUPNDomain -Path $OU -Description "FIM CM Enrollment Agent account" -AccountPassword (Read-Host -AsSecureString "$FIMCMEnrollAgent Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled  $true

#FIM CM Key Recovery Agent
New-ADUser $FIMCMKRAgent -SamAccountName $FIMCMKRAgent -GivenName FIMCM -Surname KRAgent -DisplayName "FIM CM KR Agent" -UserPrincipalName $FIMCMKRAgent@$FIMCMUPNDomain -Path $OU -Description "FIM CM Key Recovery Agent account" -AccountPassword (Read-Host -AsSecureString "$FIMCMKRAgent Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled  $true

#FIM CM Authorization Agent
New-ADUser $FIMCMAuthZAgent -SamAccountName $FIMCMAuthZAgent -GivenName FIMCM -Surname AuthZAgent -DisplayName "FIM CM AuthZ Agent" -UserPrincipalName $FIMCMAuthZAgent@$FIMCMUPNDomain -Path $OU -Description "FIM CM Authorization Agent account" -AccountPassword (Read-Host -AsSecureString "$FIMCMAuthZAgent Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled  $true

#FIM CM CA Manager account
New-ADUser $FIMCMCAMngr -SamAccountName $FIMCMCAMngr -GivenName FIMCM -Surname CAMngr -DisplayName "FIM CM CA Mngr" -UserPrincipalName $FIMCMCAMngr@$FIMCMUPNDomain -Path $OU -Description "FIM CM CA Manager account" -AccountPassword (Read-Host -AsSecureString "$FIMCMCAMngr Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled  $true

#FIM CM Service account
New-ADUser $FIMCMService -SamAccountName $FIMCMService -GivenName FIMCM -Surname Service -DisplayName "FIM CM Service" -UserPrincipalName $FIMCMService@$FIMCMUPNDomain -Path $OU -Description "FIM CM Service account" -AccountPassword (Read-Host -AsSecureString "$FIMCMService Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled  $true

Leave a Reply

Your email address will not be published. Required fields are marked *