Share via

Managed Service Accounts folder was deleted and recreated in AD, but still doesn't work right.

Daniel Yoon 25 Reputation points
2025-12-05T17:19:26.53+00:00

In our AD, the Managed Service Accounts folder was deleted a long a time ago. It's easy to search online and find the way to properly restore that folder so I know how to do that with the whole ADSI Edit removing and ADPREP commands, etc. etc.

But the problem is, when I go to create a new service account using New-ADServiceAccount, it keeps telling me that the parameter Path is required. It's like the MSA folder was created but my AD doesn't know it's there or it's not the default path anymore.

Does anyone know how to set it as the default path or how to resolve the path parameter requirement? I've tried all the powershell commands that were searchable and none of them worked.

Thank you!

Windows for business | Windows Server | Directory services | Active Directory
0 comments

Answer accepted by question author

  1. VPHAN 31,830 Reputation points Independent Advisor
    2025-12-05T18:08:27.6266667+00:00

    Hi Daniel Yoon,

    The specific error "Parameter Path is required" confirms that while you may have physically recreated the folder (Container), you haven't restored the Well-Known Object (WKO) pointer in the Active Directory database. The New-ADServiceAccount cmdlet doesn't look for a folder named "Managed Service Accounts" by string matching; it queries the wellKnownObjects attribute on the Domain Head to find the Distinguished Name (DN) associated with the specific GUID for MSAs. Since that link was severed when the original folder was deleted, the cmdlet defaults to failing because it has no target location.

    You can manually re-link the specific GUID (1EB93889-E40C-45DF-9F0C-64D23BBB6237) to your restored container without re-running domain prep. The most reliable method to manipulate this attribute is via LDP.exe, as standard AD tools often protect this attribute. Launch ldp.exe on a Domain Controller, connect and bind to the server, and verify the Distinguished Name of your currently existing MSA container (e.g., CN=Managed Service Accounts,DC=yourdomain,DC=com).

    Once you have the DN, navigate to View > Tree in LDP and select your domain root (e.g., DC=yourdomain,DC=com). Right-click the domain root object in the left pane and select Modify. In the "Edit Entry Attribute" box, type wellKnownObjects. In the "Values" box, you must enter the linkage in this exact binary string format: B:32:1EB93889E40C45DF9F0C64D23BBB6237:<DN of your MSA Container>. Ensure you replace <DN of your MSA Container> with the actual DN you verified earlier. Click Enter to add it to the entry list, then click Run.

    If the operation succeeds, Active Directory will immediately recognize that container as the default root for MSAs. You can verify this by running Get-ADDomain | Select-Object -ExpandProperty WellKnownObjects in PowerShell; you should see the MSA GUID mapped to your folder. Once this mapping exists, New-ADServiceAccount will stop prompting you for the -Path parameter.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to ACCEPT ANSWER. Should you have more questions, feel free to leave a message. Have a nice day!

    VP

    Was this answer helpful?

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ben Armitage 0 Reputation points
    2026-03-04T11:29:33.03+00:00

    I have a similar issue but someone recreated the MSA(Instead of restoring it from the recycle bin) as an OU and not a CN. In LDP.exe the information for MSA is in otherWellKnownObjects. I am going to follow what VPHAN has suggested in editing it.

    User's image

    Was this answer helpful?

    0 comments
  2. VPHAN 31,830 Reputation points Independent Advisor
    2025-12-05T18:37:20.91+00:00

    You are very close, but the error 0x2035 (Unwilling To Perform) is telling us that you hit a logic constraint, not a permission wall. You generally do not need to be a Schema Admin or Enterprise Admin for this specific operation (Domain Admin is sufficient).

    The error occurs because the wellKnownObjects attribute is a list of specific "GUID-to-DN" mappings, and you can’t have duplicate GUIDs. Currently, your Active Directory still contains the old mapping for the MSA GUID (1EB...), likely pointing to a "Deleted Object" (\0ADEL:...). The system refuses to "Add" your new mapping because that GUID slot is already taken, and it often refuses a simple "Replace" on this specific system attribute.

    To fix this, you must perform a Delete operation for the old line first, and then Add the new line.

    You need the exact string currently stored in AD to delete it. You can’t guess it because it likely contains the specific GUID of the deleted folder.

    1. Run this command in PowerShell as Administrator to see the current list:

    Get-ADObject "DC=yourdomain,DC=com" -Properties wellKnownObjects | Select-Object -ExpandProperty wellKnownObjects

    1. Look for the line starting with B:32:1EB93889E40C45DF9F0C64D23BBB6237:.... It will likely end with something like ...CN=Managed Service Accounts\0ADEL:xxxxx....
    2. Copy that entire string exactly.

    Next, do not try to do this in one "Replace" operation.

    Step A: Delete the Old Link

    1. Back in LDP.exe, right-click the domain root -> Modify.
    2. Attribute: wellKnownObjects
    3. Operation: Select DELETE.
    4. Values: Paste the Old/Zombie string you copied from PowerShell.
    5. Click Enter (to add it to the entry list on the right).
    6. Click Run.

    => Result: This should return "Success". The GUID is now free.

    Step B: Add the New Link

    1. Clear the entry list in the Modify window.
    2. Attribute: wellKnownObjects
    3. Operation: Select ADD.
    4. Values: Enter your New string format: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=yourdomain,DC=com (Make sure the DN matches your new folder exactly).
    5. Click Enter.
    6. Click Run.

    Alternative: The “Nuclear” Option (ADPREP)

    If LDP continues to fight you (sometimes specific AD versions are very stubborn about editing this attribute manually), there is a supported “Reset” method using adprep.

    1. Open ADSI Edit, connect to the Configuration partition.
    2. Navigate to CN=Configuration,DC=... > CN=Services > CN=Windows NT > CN=Directory Service > CN=Domain Updates > CN=System.
    3. Delete the two containers related to MSA updates (GUIDs 5e1574f6... and d262aae8...).
    4. On your Domain Controller (with Server install media mounted), run adprep /domainprep.

    Because you deleted the update history for MSAs, adprep will think it has never created the MSA container before. It will mistakenly "re-run" that logic, creating the container (or finding the existing one) and forcing the WKO link to update correctly.

    Anyway, I recommend trying the LDP "Delete then Add" method first as it is less invasive.

    If this answer helps you get more insight into the issue, it's appreciated of you to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    Was this answer helpful?

  3. Q&A Assist
    2025-12-05T17:19:40.9666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It sounds like you're encountering an issue with the New-ADServiceAccount cmdlet where it requires the Path parameter due to the Managed Service Accounts (MSA) folder not being recognized correctly in Active Directory after it was recreated. Here are some steps you can take to troubleshoot and resolve this issue:

    1. Verify the MSA Folder: Ensure that the Managed Service Accounts folder has been correctly recreated in Active Directory. You can use Active Directory Users and Computers (ADUC) to check if the folder exists and is properly configured.
    2. Specify the Path Parameter: Since the cmdlet is requiring the Path parameter, you can explicitly specify the path to the MSA folder when you run the New-ADServiceAccount cmdlet. For example: 
         New-ADServiceAccount -Name "YourServiceAccountName" -Path "OU=Managed Service Accounts,DC=yourdomain,DC=com"
      Replace the OU and DC values with the appropriate values for your environment.
    3. Default Path Check: If you want to set a default path for future service accounts, you may need to ensure that the default container for managed service accounts is correctly configured in your domain. Unfortunately, there is no direct cmdlet to set a default path for MSAs, but ensuring the folder is correctly set up and accessible should help.
    4. Permissions: Make sure that you have the necessary permissions to create managed service accounts in the specified path. Lack of permissions might also cause issues when trying to create new accounts.
    5. Replication: If your Active Directory environment has multiple domain controllers, ensure that the changes have replicated across all controllers. You can use the repadmin command to check the replication status.

    If these steps do not resolve the issue, you may want to consider checking the event logs for any errors related to Active Directory or the creation of service accounts, as they might provide more insights into what is going wrong.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.