Change service account to gMSA???

This topic contains 4 replies, has 3 voices, and was last updated by  Simon Craner 4 months, 1 week ago.

  • Author
    Posts
  • #22930

    Rocky Cabral
    Participant

    Have been testing group managed service accounts in Windows 2012 R2 and now set to change services on various Windows servers to gMSAs. I put together this little script just for testing. This works fine for a single host and a specified service with creds specified like this "Domain\Username". But, when I try to enter a gMSA username but omit the password variable (as most of are aware, Active Directory handles the password), the command doesn't work:

    [i]$Box = read-host "Enter computername"
    $User = read-host "Enter domain\username"
    $Pass = read-host "Enter password" -AsSecureString
    $Srvc = read-host "Enter service name to change"
    $service = gwmi win32_service -ComputerName $Box -Filter "name='$Srvc'"
    $service.change[$null,$null,$null,$null,$null,$null,"$User","$Pass"][/i]

    Also tried with the following script from: https://gallery.technet.microsoft.com/scriptcenter/79644be9-b5e1-4d9e-9cb5-eab1ad866eaf, and left out the password variable but doesn't work.

    $UserName = "Infralab\santhosh"
    $Password = "Password"
    $Service = "MpsSvc" #Change service name with your service name
    $Cred = Get-Credential #Prompt you for user name and password
    Import-CSV C:\Scripts\input.csv | % {
    $ServerN = $_.ServerName
    $svcD=gwmi win32_service -computername $ServerN -filter "name='$service'" -Credential $cred
    $StopStatus = $svcD.StopService()
    If ($StopStatus.ReturnValue -eq "0") # validating status – http://msdn.microsoft.com/en-us/library/aa393673(v=vs.85).aspx
    {write-host "$ServerN -> Service Stopped Successfully"}
    $ChangeStatus = $svcD.change($null,$null,$null,$null,$null,$null,$UserName,$Password,$null,$null,$null)
    If ($ChangeStatus.ReturnValue -eq "0")
    {write-host "$ServerN -> Sucessfully Changed User Name"}
    $StartStatus = $svcD.StartService()
    If ($ChangeStatus.ReturnValue -eq "0")
    {write-host "$ServerN -> Service Started Successfully"}
    }

    So, do you change a windows service account to a gMSA and not include a password????

    Another thing, this is probably really basic but can't seem to get to work but the above script imports a csv. Just for testing, I tried doing "gc d:\testboxes.txt" and that didn't work. It seems that if the script can import server names from a CSV, it should work with "get-content d:\testboxes.txt" or does it have been written differently?

  • #22932

    Dave Wyatt
    Moderator

    Managed service account names (like computer and trust accounts) actually end with a $ character, and I'm not seeing that in your $UserName variable. Try this, and see if it works:

    $UserName = 'Infralab\santhosh$'
    
  • #22933

    Rocky Cabral
    Participant

    Thx for the suggestion Dave.
    I'll give it a go. But, do you have any suggestions for omitting PASSWORD variable in the command? The reason the command didn't work could be because I had left out the dollar sign $, regardless if I omitted the PASSWORD variable. Guess I won't know until I try it. I'll know if omitting the PASSWORD variable wasn't the issue but not including the dollar sign at the end of the gMSA.

  • #22942

    Rocky Cabral
    Participant

    Dave, that worked! Appended the dollar sign $ at the end of gMSA account and omitted the PASSWORD in the command. Service started right up!

  • #74713

    Simon Craner
    Participant

    Hi guys,
    not sure if this is still active, I have tried the script as detailed, it stops the service but doesn't restart even after removing the password field. Not sure what I am missing but I really would like to get away from MSA and change existing accounts into gMSA.

    any tips, greatly appreciated.

    regards

You must be logged in to reply to this topic.