Queries about creating Group Managed Service Account

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of RocknRollTim RocknRollTim 2 months, 1 week ago.

  • Author
    Posts
  • #68356
    Profile photo of RocknRollTim
    RocknRollTim
    Participant

    Hi all,

    This is more of a question than a problem but how come the following PowerShell command install-adserviceaccount -identity gmsatest doesn't work after specifying a group of devices to the Group Managed Service Account i.e. -principalsallowedtoretrievemanagedpassword "domain computers" rather than the individual devices i.e. -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$? Also why is it compulsory to use the $ sign after each device? Below are 2 ways in which I have tested the commands to create the same Group Managed Service Account using a virtual simulation including results of PowerShell.

    Method 1

    add-kdsrootkey -effectivetime ((get-date).addhours(-10))
    new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local
    set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$
    install-adserviceaccount -identity gmsatest

    No problems

    Method 2

    add-kdsrootkey -effectivetime ((get-date).addhours(-10))
    new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local
    set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword "Domain Computers"
    install-adserviceaccount -identity gmsatest
    install-adserviceaccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
    At line:1 char:1
    + install-adserviceaccount -identity gmsatest
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : WriteError: (gmsatest:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
    irectory.Management.Commands.InstallADServiceAccount

    Problem in PowerShell but appears okay in Services Manager on each device?

    Lastly what is the safest way to remove a Group Managed Service Account? One time when I removed it from Active Directory Computers and Users it caused Active Directory Administrative Center to stop working whereas another time when I used remove-adserviceaccount -identity gmsatest in PowerShell it stopped my custom Group Policies in Group Policy Management to become uneditable.

    Your support would be much appreciated as I am still learning.

    Kind regards,

    RocknRollTim

  • #68734
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Group names should work for the specifier, although I'd suggest that "Domain Computers" is a little broad for my security tastes. That's like, a lot of people – might as well put the password on a post-it in the break room.

    The $ is a kind of standard suffix thing going back to the NT days.

    But I'll point out that what the parameter really wants is an ADPrincipal object – not a string (although it'll attempt to work with one). Try using Get-ADComputer or Get-ADGroup to get an object, and then pass that. A la the first answer at. https://serverfault.com/questions/692772/group-managed-service-accounts-principalsallowedtoretrievemanagedpassword

  • #68749
    Profile photo of RocknRollTim
    RocknRollTim
    Participant

    Hi Jones,

    Thank you for getting back to me and responding to my thread, will try the link in your post and to see how I get on. Lastly I will remember to take a snapshot in my test VM before attempting to create and to remove a Group Managed Service Account and thank you for all your explanations, will take those on board too.

    Regards,

    RocknRollTim

You must be logged in to reply to this topic.