While PowerShell and CMD commands are outside the scope of Okta Support, this article is provided as a best effort  to assist with a common issue.

1. When running the dsacls command in a PowerShell window with elevated permissions, an error may be returned stating:
   
   The term <term> is not recognized as the name of a cmdlet, function, script file, or operable program.
   
   Here are two examples:

1. dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;pwdLastSet;user

pwdLastSet : The term 'pwdLastSet' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

2. dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;lockoutTime;user

lockoutTime : The term 'lockoutTime' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

2. Running dsacls on the service account that contains a special character is successful on Command Prompt, but it returns the error, "The parameter is incorrect. The command failed to complete successfully," on PowerShell: dsacls "OU=targetOU,DC=domain" /G "domain\agentserviceaccount$:CCDC;user"
   
   for example, dsacls "DC=TESTDOMAIN,DC=internal" /G "testdomain\OktaTestService$:CCDC;user"

• Directories
• Active Directory (AD)
• PowerShell
• Command Prompt

The error is encountered if the dsacls command is executed from an elevated PowerShell prompt rather than from an elevated command prompt or if the command is executed on a server that does not have the Active Directory Domain Services Role installed. Additionally, PowerShell parses special characters, such as the dollar sign ($), differently than the Command Prompt, causing syntax errors when service account names contain these characters.

How is the dsacls command executed successfully?

The dsacls command requires a server with the Active Directory Domain Services role installed, such as a domain controller.

1. Resolve the errors by running the command from an elevated Command Prompt or by enclosing the PermissionStatement syntax in double quotation marks in PowerShell.

1. Open the command prompt as administrator to execute the dsacls command.

Examples:

• • dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:WP;pwdLastSet;user"
  • dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:WP;lockoutTime;user"

2. If the command must be performed using PowerShell with elevated privileges, enclose the PermissionStatement syntax in double quotation marks.

Examples:

• • dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:WP;pwdLastSet;user"
  • dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:WP;lockoutTime;user"

2. If the service account contains a special character '$':
   
   Option 1: Use single quotation marks to prevent variable expansion in PowerShell.
   dsacls "OU=targetOU,DC=domain" /G 'domain\agentserviceaccount$:CCDC;user'
   for example, dsacls "DC=TESTDOMAIN,DC=internal" /G 'testdomain\OktaTestService$:CCDC;user'
    

Option 2: Escape the $ with a backtick `
dsacls "OU=targetOU,DC=domain" /G "domain\agentserviceaccount`$:CCDC;user"
for example, dsacls "DC=TESTDOMAIN,DC=internal" /G "testdomain\OktaTestService`$:CCDC;user"

Related References

• Okta service account permissions
• Microsoft: Dsacls