Queries about creating Group Managed Service Account

Welcome Forums General PowerShell Q&A Queries about creating Group Managed Service Account

This topic contains 2 replies, has 2 voices, and was last updated by

 
Participant
1 year, 7 months ago.

  • Author
    Posts
  • #68356

    Participant
    Points: 0
    Rank: Member

    Hi all,

    This is more of a question than a problem but how come the following PowerShell command install-adserviceaccount -identity gmsatest doesn't work after specifying a group of devices to the Group Managed Service Account i.e. -principalsallowedtoretrievemanagedpassword "domain computers" rather than the individual devices i.e. -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$? Also why is it compulsory to use the $ sign after each device? Below are 2 ways in which I have tested the commands to create the same Group Managed Service Account using a virtual simulation including results of PowerShell.

    Method 1

    add-kdsrootkey -effectivetime ((get-date).addhours(-10))
    new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local
    set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$
    install-adserviceaccount -identity gmsatest

    No problems

    Method 2

    add-kdsrootkey -effectivetime ((get-date).addhours(-10))
    new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local
    set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword "Domain Computers"
    install-adserviceaccount -identity gmsatest
    install-adserviceaccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
    At line:1 char:1
    + install-adserviceaccount -identity gmsatest
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : WriteError: (gmsatest:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
    irectory.Management.Commands.InstallADServiceAccount

    Problem in PowerShell but appears okay in Services Manager on each device?

    Lastly what is the safest way to remove a Group Managed Service Account? One time when I removed it from Active Directory Computers and Users it caused Active Directory Administrative Center to stop working whereas another time when I used remove-adserviceaccount -identity gmsatest in PowerShell it stopped my custom Group Policies in Group Policy Management to become uneditable.

    Your support would be much appreciated as I am still learning.

    Kind regards,

    RocknRollTim

  • #68734

    Keymaster
    Points: 1,624
    Helping HandTeam Member
    Rank: Community Hero

    Group names should work for the specifier, although I'd suggest that "Domain Computers" is a little broad for my security tastes. That's like, a lot of people – might as well put the password on a post-it in the break room.

    The $ is a kind of standard suffix thing going back to the NT days.

    But I'll point out that what the parameter really wants is an ADPrincipal object – not a string (although it'll attempt to work with one). Try using Get-ADComputer or Get-ADGroup to get an object, and then pass that. A la the first answer at. https://serverfault.com/questions/692772/group-managed-service-accounts-principalsallowedtoretrievemanagedpassword

  • #68749

    Participant
    Points: 0
    Rank: Member

    Hi Jones,

    Thank you for getting back to me and responding to my thread, will try the link in your post and to see how I get on. Lastly I will remember to take a snapshot in my test VM before attempting to create and to remove a Group Managed Service Account and thank you for all your explanations, will take those on board too.

    Regards,

    RocknRollTim

The topic ‘Queries about creating Group Managed Service Account’ is closed to new replies.