Change service account to gMSA???

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Rocky Cabral Rocky Cabral 1 year, 9 months ago.

  • Author
    Posts
  • #22930
    Profile photo of Rocky Cabral
    Rocky Cabral
    Participant

    Have been testing group managed service accounts in Windows 2012 R2 and now set to change services on various Windows servers to gMSAs. I put together this little script just for testing. This works fine for a single host and a specified service with creds specified like this "Domain\Username". But, when I try to enter a gMSA username but omit the password variable (as most of are aware, Active Directory handles the password), the command doesn't work:

    [i]$Box = read-host "Enter computername"
    $User = read-host "Enter domain\username"
    $Pass = read-host "Enter password" -AsSecureString
    $Srvc = read-host "Enter service name to change"
    $service = gwmi win32_service -ComputerName $Box -Filter "name='$Srvc'"
    $service.change[$null,$null,$null,$null,$null,$null,"$User","$Pass"][/i]

    Also tried with the following script from: https://gallery.technet.microsoft.com/scriptcenter/79644be9-b5e1-4d9e-9cb5-eab1ad866eaf, and left out the password variable but doesn't work.

    $UserName = "Infralab\santhosh"
    $Password = "Password"
    $Service = "MpsSvc" #Change service name with your service name
    $Cred = Get-Credential #Prompt you for user name and password
    Import-CSV C:\Scripts\input.csv | % {
    $ServerN = $_.ServerName
    $svcD=gwmi win32_service -computername $ServerN -filter "name='$service'" -Credential $cred
    $StopStatus = $svcD.StopService()
    If ($StopStatus.ReturnValue -eq "0") # validating status – http://msdn.microsoft.com/en-us/library/aa393673(v=vs.85).aspx
    {write-host "$ServerN -> Service Stopped Successfully"}
    $ChangeStatus = $svcD.change($null,$null,$null,$null,$null,$null,$UserName,$Password,$null,$null,$null)
    If ($ChangeStatus.ReturnValue -eq "0")
    {write-host "$ServerN -> Sucessfully Changed User Name"}
    $StartStatus = $svcD.StartService()
    If ($ChangeStatus.ReturnValue -eq "0")
    {write-host "$ServerN -> Service Started Successfully"}
    }

    So, do you change a windows service account to a gMSA and not include a password????

    Another thing, this is probably really basic but can't seem to get to work but the above script imports a csv. Just for testing, I tried doing "gc d:\testboxes.txt" and that didn't work. It seems that if the script can import server names from a CSV, it should work with "get-content d:\testboxes.txt" or does it have been written differently?

  • #22932
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Managed service account names (like computer and trust accounts) actually end with a $ character, and I'm not seeing that in your $UserName variable. Try this, and see if it works:

    $UserName = 'Infralab\santhosh$'
    
  • #22933
    Profile photo of Rocky Cabral
    Rocky Cabral
    Participant

    Thx for the suggestion Dave.
    I'll give it a go. But, do you have any suggestions for omitting PASSWORD variable in the command? The reason the command didn't work could be because I had left out the dollar sign $, regardless if I omitted the PASSWORD variable. Guess I won't know until I try it. I'll know if omitting the PASSWORD variable wasn't the issue but not including the dollar sign at the end of the gMSA.

  • #22942
    Profile photo of Rocky Cabral
    Rocky Cabral
    Participant

    Dave, that worked! Appended the dollar sign $ at the end of gMSA account and omitted the PASSWORD in the command. Service started right up!

You must be logged in to reply to this topic.