Add Additional Computers/Host to Existing gMSA

Welcome Forums General PowerShell Q&A Add Additional Computers/Host to Existing gMSA

This topic contains 5 replies, has 5 voices, and was last updated by

 
Participant
1 month, 2 weeks ago.

  • Author
    Posts
  • #117276

    Participant
    Points: 13
    Rank: Member

    I need to be able to add additional computers to the existing list of a pre-existing gMSA. Re-running the Set-ADServiceAccount command only replaces the existing list. And running Add-ADComputerServiceAccount doesn't seem to do anything.

  • #117366

    Participant
    Points: 870
    Helping Hand
    Rank: Major Contributor

    If you have written some code to do this, can you please share it here ?

  • #117393

    Participant
    Points: 11
    Rank: Member

    Sounds like you are trying to add a new principal to retrieve the password. You might try something like this...

    $GMSAAccount = Get-ADServiceAccount AccountName -Properties PrincipalsAllowedToRetrieveManagedPassword 
    $NewPrincipals = $GMSAAccount.PrincipalsAllowedToRetrieveManagedPassword += 'CN=NewAccountname,OU=SomeOU,DC=domain,DC=local'
    Set-ADServiceAccount AccountName -PrincipalsAllowedToRetrieveManagedPassword $NewPrincipals 
    
  • #117445

    Participant
    Points: 319
    Helping Hand
    Rank: Contributor

    You need to show how you are using these, otherwise you just leave it a guessing effort, which is not helpful to you relative to any resolution.

    What you are seeing for Set-ADServiceAccount, is by design.
    What you say you are seeing with Add-ADComputerServiceAccount is not by design. Of course this cmdlet is explicitly designed to

    'Adds one or more service accounts to an Active Directory computer. '
    https://docs.microsoft.com/en-us/powershell/module/addsadministration/add-adcomputerserviceaccount?view=win10-ps

    So, again, show what you are doing.

  • #117478

    Participant
    Points: 319
    Helping Hand
    Rank: Contributor

    Regarding what you posted, if you are passing a collection and you have pass that via a loop using either of this cmdlets, since as per the docs, the are expecting a singular entry.

     $NewPrincipals  | %{Set-ADServiceAccount AccountName -PrincipalsAllowedToRetrieveManagedPassword $_}
    

    How you are passing this in is also not how it is documented.

    ————————– EXAMPLE 3 ————————–

    PowerShell = Copy
    C:\PS>Set-ADServiceAccount service1 -PrincipalsAllowedToRetrieveManagedPassword "MsaAdmins.corp.contoso.com"

    Description

    Sets the principals allowed to retrieve the password for this managed service account to be limited to only members of the specified Active Directory group account.
    https://docs.microsoft.com/en-us/powershell/module/activedirectory/set-adserviceaccount?view=winserver2012-ps

    The expect a singular entry or a comma separated entry.

    Add the service account 'SvcAcct1' to a Computer Account 'ComputerAcct1'

    ————————– EXAMPLE 2 ————————–

    PowerShell = Copy
    C:\PS>Add-ADComputerServiceAccount -Computer ComputerAcct1 -serviceAccount SvcAcct1,SvcAcct2

    Description

    Add 2 service accounts 'SvcAcct1,SvcAcct2' to a Computer Account 'ComputerAcct1'.

  • #118642

    Participant
    Points: 53
    Rank: Member

    I want to imagine Patrick's approach of gathering the current list of principals allowed, adding to that list, and then re-running the Set-ADServiceAccount is what's needed. There is no -Append type of parameter for the Set-ADServiceAccount cmdlet, so you just need to work around that the best you can.

You must be logged in to reply to this topic.