Topic last updated -- November 2007

You can use the Manage Site Accounts tool (MSAC.exe) through the command-line interface to quickly and easily create, change, verify, delete, and list user-defined Windows accounts for your Microsoft System Center Configuration Manager 2007 sites.

Note
This version of the Manage Site Accounts tool is supported for Configuration Manager 2007 sites only. If you need to manage accounts at an SMS 2003 site, you must use the SMS 2003 version of the tool. The SMS 2003 Manage Site Accounts Tool cannot change the Client Push Installation account. There is no supported way to change this account for an SMS 2003 secondary site.

You can modify more account types than you can add because most account types allow only a single account to be used. You can add as many Client Push Installation accounts as you want, but adding an additional Network Access Account could only replace the existing account.

Listing all of the accounts is useful for security auditing.

List of Accounts That Can Be Managed

The following accounts can be managed by the Manage Site Accounts tool.

Account Name Actions

Client Push Installation Account [ClientPushAccount]

Add, Change*, Delete, Verify, List

Network Access Account [NetworkAccessAccount]

Change, Delete, Verify, List

Site Address Account [SiteAddressAccount}

Change, Verify, List

Health State Reference Querying Account [SHVToADReaderAccount]

Change, Verify, List

Health State Reference Publishing Account [SHVToADWriterAccount]

Change, Verify, List

Software Update Point Proxy Server account

[SoftwareUpdatePointProxyServerAccount]

Change, Verify, List

Note
The tool can manage the Software Update Point Proxy Server account only if the software update point is installed on the site server.

* The -Set command cannot actually change the password on the Client Push Installation account. To change the Client Push Installation account, use the -Delete option to remove the account and then use the -Add option to create the account.

Note
Although the command line help shows that you can manage the Site System Installation Account [SiteSystemInstallationAccount], it does not work.

Manage Site Accounts Tool Syntax

The Manage Site Accounts tool (Msac.exe) has the following command-line syntax and command-line parameters that you can use to manage all Windows accounts that Configuration Manager 2007 uses.

  Copy Code
msac.exe -[ ADD | SET | DELETE | VERIFY | LIST | ? ] [arguments]

Command-line parameter Description

-ADD

Adds a given account in the specified server.

-SET

Changes an existing account to a new account.

-DELETE

Deletes a given account in the specified server.

-VERIFY

Verifies a given account in the specified server.

-LIST

Lists existing accounts to the screen or to a file for all or a specified account category on the specified server.

?

Displays command-line help.

Add a New Account

Use the following command-line syntax and parameters to create a new account.

Important
The Manage Site Accounts tool configures the account in the Configuration Manager 2007 console but does not actually create the account in Active Directory Domain Services. You must still create the account in the domain and set the password.
  Copy Code
msac.exe -ADD <server> <Domain\account> <accountCategory>
			 [ -S <SiteCode1> [, <SiteCode2> [ ... ] ] ]
			 [ -PA <Password | -G]
			 [ -R ] [ -I ] [ -T ] [ -V ] [ -P ] [ -? ] [ /? ]

Command-line parameter Description

<server>

Indicates the name of the site server.

<domain\account>

Indicates the domain to be used and account to be added. You can add only one account at a time.

If the –P parameter is not specified, this property will require the <domain\account> format. If you use -P, specify only the account name.

<accountCategory>

Indicates the account category to which the new account will belong.

The only possible value for this property is:

ClientPushAccount (Client Push Installation Account)

You cannot configure accounts that are used on site systems such as the Management Point Database Connection account.

-S

Indicates the site code to process, if not using the current site.

For example, this could be the site code for a child site.

-PA

Specifies a password for the new user account.

Do not use this parameter if you intend to specify automatic strong password creation. Instead, use the -G parameter.

-G

Creates a strong password for the new account.

This parameter causes a strong password to be automatically generated, using a strong algorithm.

Important
The Manage Site Accounts tool generates a strong password and configures it for the account in the Configuration Manager 2007 console but does not actually set the password in Active Directory Domain Services. Until you configure the domain account to use the generated password, the account will fail. Protect the password as you transfer it from the console output to configure the account in Active Directory.

-R

Adds the new account to all the child sites belonging to the site server specified as <server>.

Note
Due to a known issue, the G R combination does not properly generate the same strong password for all child sites. WORKAROUND: If you must generate a strong password for all child sites, use MSAC -add -G at the parent site, note the resulting strong password, then use MSAC -add -PA <strong password> -G to configure that same password throughout the hierarchy.

-I

Indicates that you want to ignore any errors that occur while the account is being added to child sites, and to continue the process of adding the account.

If you use this parameter, you can still view the ignored errors in the console output.

-T

Specifies that the changes that you requested should run in test mode, without actually affecting your system.

-V

Specifies that a log showing the details of the new account creation should be displayed as output in the console.

-P

Specifies that the new account should use the domain of existing accounts.

Some account types, might be in use in several domains, but use the same name and same password in each domain. When such an account requires an update, each copy of the account will be changed and updated with the same new password. For this reason, if you use the -P parameter, this tool will examine the domain name and reuse it, without you having to specify it.

-? or /?

Displays the command-line Help and usage.

Change an Account

Use the following command-line syntax and parameters to change the current account to a new account.

Important
The Manage Site Accounts tool configures the account in the Configuration Manager 2007 console but does not actually create the account in Active Directory Domain Services. You must still create the account in the domain and set the password.
  Copy Code
msac.exe -SET <server> <Domain\account> <Domain\Newaccount | ComputerAccount> <AccountCategory>
			 [ <AddressType> <Destination> ] [ -PA <password> | -G ]
			 [ -S <SiteCode1> [, <SiteCode2> [ ... ] ] ]
			 [ -R ] [ -I ] [ -T ]
			 [ -V ] [ -P ] [ -? ] [ /? ]

Command-line parameter Description

<server>

Indicates the name of the site server.

<domain\account>

Indicates the domain to be used and the user account to be modified.

If the –P parameter is not specified, this property will require the <domain\account> format. If you use -P, specify only the account name.

<Domain\NewAccount>

Specifies the new user account that will replace the existing account.

Note

You can use ComputerAccount instead of <Domain\NewAccount> for SiteAddressAccount.

<AccountCategory>

Indicates the account category to which the modified account will belong.

  • Valid values: NetworkAccessAccount (Network Access account)

  • SiteAddressAccount (Site Address account)

  • SHVToADReaderAccount (Health State Reference Querying account)

  • SHVToADWriterAccount (Health State Reference Publishing account)

  • SoftwareUpdatePointProxyServerAccount (Software Update Point Proxy Server account)

    Note
    The -Set command cannot actually change the password on the Client Push Installation account. To change the Client Push Installation account, use the -Delete option to remove the account and then use the -Add option to create the account.

<AddressType>

Indicates the address type of the sender address account you are modifying.

Possible values for this property are:

MS_LAN.

MS_X25_RAS.

MS_ISDN_RAS.

MS_ASYNC_RAS.

MS_SNA_RAS.

Note

The addresstype property is required for the SiteAddressAccount category.

ComputerAccount

Replaces a sender address account (Site Address account) with the computer account of the site system. The ComputerAccount parameter is used only with the set parameter and SiteAddressAccount category. This parameter is used instead of <domain/newuser>.

<Destination>

Indicates the destination site code for the modified account.

-PA

Specifies a password for the modified user account.

Do not use this parameter if you intend to specify automatic strong password creation. Instead, use the -G parameter.

-G

Specifies a strong password for the modified account.

This parameter causes a strong password to be automatically generated using a strong algorithm.

Important
The Manage Site Accounts tool generates a strong password and configures it for the account in the Configuration Manager 2007 console but does not actually set the password in Active Directory Domain Services. Until you configure the domain account to use the generated password, the account will fail. Protect the password as you transfer it from the console output to configure the account in Active Directory.

-S

Indicates the site code to process, if not using the current site.

For example, this could be the site code for a child site.

-R

Adds the modified account to all the child sites belonging to the site server specified as <server>.

Note
Due to a known issue, the G R combination does not properly generate the same strong password for all child sites. WORKAROUND: If you must generate a strong password for all child sites, use MSAC -set -G at the parent site, note the resulting strong password, then use MSAC -set -PA <strong password> -G to configure that same password throughout the hierarchy.

-I

Indicates that you want to ignore any errors that occur while the modified account is being added to child sites, and to continue the process of adding the account.

If you use this parameter, you will still be able to view the ignored errors in the console output.

-T

Specifies that the changes that you requested should run in test mode, without actually affecting your system.

-V

Specifies that a log showing the details of the account modification should be displayed as output in the console.

-P

Use this parameter to specify that the modified account should use the domain of existing accounts.

Some account types might be in use in several domains, using same name and same password in each domain. When such an account requires an update, each copy of the account will be changed and updated with the same new password. For this reason, if you use the -P parameter, this tool will examine the domain name, and reuse it, without you having to specify it each time.

-? or /?

Displays the command-line Help and usage.

Delete an Account

Use the following command-line syntax and parameters to delete an existing account:

msac.exe -DELETE <server> <Domain\Account> <AccountCategory>

[ -S <SiteCode1> [, <SiteCode2> [ ... ] ] ]

[ -R ] [ -I ] [ -T ]

[ -V ] [ -P ] [ -? ] [ /? ]

Command-line parameter Description

<server>

Indicates the name of the site server.

<domain\account>

Indicates the domain to be used, and account to be deleted.

If the –P parameter is not specified, this property will require the <domain\account> format. If you use -P, specify only the account name.

<accountCategory>

Indicates the account category to which the account you are deleting belongs.

Possible values for this property are:

  • NetworkAccessAccount (Network Access Account)

  • ClientPushAccount (Client Push Installation account)

-S

Indicates the site code to process, if not using the current site.

For example, this could be the site code for a child site to which the account belongs.

-R

Removes the account from all the child sites belonging to the site server specified as <server>.

-I

Indicates that you want to ignore any errors that occur while the account is being removed from child sites, and to continue the process of deleting the account.

If you use this parameter, you can still view the ignored errors in the console output.

-T

Specifies that the changes that you requested should run in test mode, without actually affecting your system.

-V

Specifies that a log showing the details of the account deletion should be displayed as output in the console.

-P

Indicates that account to be deleted uses the domain of existing accounts.

Some account types might be in use in several domains, using the same name and same password in each domain. When such an account requires an update, each copy of the account will be changed and updated with the same new password. For this reason, if you use the -P parameter, this tool will examine the domain name and reuse it, without you having to specify it each time.

-?

Displays the command-line Help and usage.

Verify an Account

Use the following command-line syntax and parameters to verify an existing account:

msac.exe -VERIFY <server> <Domain\account> <AccountCategory>

[ <AddressType> <Destination> ]

[ -S <SiteCode1> [, <SiteCode2> [ ... ] ] ]

[ -R ] [ -I ]

[ -V ] [ -P ] [ -? ] [ /? ]

Command-line parameter Description

<server>

Indicates the name of the site server.

<domain\account>

Indicates the domain to be used and account to be verified.

If the –P parameter is not specified, this property will require the <domain\account> format. If you use -P, specify only the account name.

<AccountCategory>

Indicates the account category to which the account you are verifying belongs.

  • Valid values: NetworkAccessAccount (Network Access account)

  • ClientPushAccount (Client Push Installation account)

  • SiteAddressAccount (Site Address account)

  • SHVToADReaderAccount (Health State Reference Querying account)

  • SHVToADWriterAccount (Health State Reference Publishing account)

  • SoftwareUpdatePointProxyServerAccount (Software Update Point Proxy Server account)

  • Note: Secondary sites do not have Health State Reference Querying accounts and Health State Reference Publishing accounts; these accounts can be verified only at primary sites.

<AddressType>

Indicates the address type of the account you are verifying.

Possible values for this property are:

MS_LAN.

MS_X25_RAS.

MS_ISDN_RAS.

MS_ASYNC_RAS.

MS_SNA_RAS.

The AddressType property is required for the category SiteAddressAccounts.

<Destination>

Indicates the destination site code for the account you are verifying.

-S

Indicates the site code to process, if not using the current site.

For example, this could be the site code for a child site to which the account belongs.

-R

Verifies the account on all the child sites belonging to the site server specified as <server>.

-I

Indicates that you want to ignore any errors that occur while the account is being verified on child sites, and to continue the process of verifying the account.

If you use this parameter, you can still view the ignored errors in the console output.

-V

Specifies that a log showing the details of the account verification should be displayed as output in the console.

-P

Indicates that the account you are verifying uses the domain of existing accounts.

Some account types might be in use in several domains, using the same name and same password in each domain. When such an account requires an update, each copy of the account will be changed and updated with the same new password. For this reason, if you use the -P parameter, this tool will examine the domain name and reuse it, without you having to specify it each time.

-? or /?

Displays the command-line Help and usage.

List Accounts

Use the following command-line syntax and parameters to list existing accounts:

  Copy Code
msac.exe -LIST <server> <AccountCategory>
			 [ -S <SiteCode1> [, <SiteCode2> [ ... ] ] ]
			 [ -R ]
			 [-FILE <path and filename>] [ ? ] [ /? ]

Command-line parameter Description

<server>

Indicates the name of the site server.

<AccountCategory>

Indicates the account category to which the account you are listing belongs.

The AllAccount category is used to list all account categories.

Valid values:

  • NetworkAccessAccount (Network Access account)

  • ClientPushAccount (Client Push Installation account)

  • SiteAddressAccount (Site Address account)

  • SHVToADReaderAccount (Health State Reference Querying account)

  • SHVToADWriterAccount (Health State Reference Publishing account)

  • SoftwareUpdatePointProxyServerAccount (Software Update Point Proxy Server account)

  • AllAccount (lists all accounts)

-S

Indicates the site code to process, if not using the current site.

For example, this could be the site code for a child site.

-R

Lists account details for all of the child sites.

-FILE

Specifies a file as output for the list parameter. A full output path and file name is required when using this parameter.

-? or /?

Displays the command-line Help and usage.

See Also