Author Posts

March 2, 2015 at 10:07 am

Have been testing group managed service accounts in Windows 2012 R2 and now set to change services on various Windows servers to gMSAs. I put together this little script just for testing. This works fine for a single host and a specified service with creds specified like this "Domain\Username". But, when I try to enter a gMSA username but omit the password variable (as most of are aware, Active Directory handles the password), the command doesn't work:

[i]$Box = read-host "Enter computername"
$User = read-host "Enter domain\username"
$Pass = read-host "Enter password" -AsSecureString
$Srvc = read-host "Enter service name to change"
$service = gwmi win32_service -ComputerName $Box -Filter "name='$Srvc'"

Also tried with the following script from:, and left out the password variable but doesn't work.

$UserName = "Infralab\santhosh"
$Password = "Password"
$Service = "MpsSvc" #Change service name with your service name
$Cred = Get-Credential #Prompt you for user name and password
Import-CSV C:\Scripts\input.csv | % {
$ServerN = $_.ServerName
$svcD=gwmi win32_service -computername $ServerN -filter "name='$service'" -Credential $cred
$StopStatus = $svcD.StopService()
If ($StopStatus.ReturnValue -eq "0") # validating status –
{write-host "$ServerN -> Service Stopped Successfully"}
$ChangeStatus = $svcD.change($null,$null,$null,$null,$null,$null,$UserName,$Password,$null,$null,$null)
If ($ChangeStatus.ReturnValue -eq "0")
{write-host "$ServerN -> Sucessfully Changed User Name"}
$StartStatus = $svcD.StartService()
If ($ChangeStatus.ReturnValue -eq "0")
{write-host "$ServerN -> Service Started Successfully"}

So, do you change a windows service account to a gMSA and not include a password????

Another thing, this is probably really basic but can't seem to get to work but the above script imports a csv. Just for testing, I tried doing "gc d:\testboxes.txt" and that didn't work. It seems that if the script can import server names from a CSV, it should work with "get-content d:\testboxes.txt" or does it have been written differently?

March 2, 2015 at 10:20 am

Managed service account names (like computer and trust accounts) actually end with a $ character, and I'm not seeing that in your $UserName variable. Try this, and see if it works:

$UserName = 'Infralab\santhosh$'

March 2, 2015 at 10:58 am

Thx for the suggestion Dave.
I'll give it a go. But, do you have any suggestions for omitting PASSWORD variable in the command? The reason the command didn't work could be because I had left out the dollar sign $, regardless if I omitted the PASSWORD variable. Guess I won't know until I try it. I'll know if omitting the PASSWORD variable wasn't the issue but not including the dollar sign at the end of the gMSA.

March 2, 2015 at 1:07 pm

Dave, that worked! Appended the dollar sign $ at the end of gMSA account and omitted the PASSWORD in the command. Service started right up!

July 11, 2017 at 7:55 pm

Hi guys,
not sure if this is still active, I have tried the script as detailed, it stops the service but doesn't restart even after removing the password field. Not sure what I am missing but I really would like to get away from MSA and change existing accounts into gMSA.

any tips, greatly appreciated.