Queries about creating Group Managed Service Account

This topic contains 2 replies, has 2 voices, and was last updated by  RocknRollTim 1 year, 1 month ago.

  • Author
  • #68356


    Hi all,

    This is more of a question than a problem but how come the following PowerShell command install-adserviceaccount -identity gmsatest doesn't work after specifying a group of devices to the Group Managed Service Account i.e. -principalsallowedtoretrievemanagedpassword "domain computers" rather than the individual devices i.e. -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$? Also why is it compulsory to use the $ sign after each device? Below are 2 ways in which I have tested the commands to create the same Group Managed Service Account using a virtual simulation including results of PowerShell.

    Method 1

    add-kdsrootkey -effectivetime ((get-date).addhours(-10))
    new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local
    set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$
    install-adserviceaccount -identity gmsatest

    No problems

    Method 2

    add-kdsrootkey -effectivetime ((get-date).addhours(-10))
    new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local
    set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword "Domain Computers"
    install-adserviceaccount -identity gmsatest
    install-adserviceaccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
    At line:1 char:1
    + install-adserviceaccount -identity gmsatest
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : WriteError: (gmsatest:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD

    Problem in PowerShell but appears okay in Services Manager on each device?

    Lastly what is the safest way to remove a Group Managed Service Account? One time when I removed it from Active Directory Computers and Users it caused Active Directory Administrative Center to stop working whereas another time when I used remove-adserviceaccount -identity gmsatest in PowerShell it stopped my custom Group Policies in Group Policy Management to become uneditable.

    Your support would be much appreciated as I am still learning.

    Kind regards,


  • #68734

    Don Jones

    Group names should work for the specifier, although I'd suggest that "Domain Computers" is a little broad for my security tastes. That's like, a lot of people – might as well put the password on a post-it in the break room.

    The $ is a kind of standard suffix thing going back to the NT days.

    But I'll point out that what the parameter really wants is an ADPrincipal object – not a string (although it'll attempt to work with one). Try using Get-ADComputer or Get-ADGroup to get an object, and then pass that. A la the first answer at. https://serverfault.com/questions/692772/group-managed-service-accounts-principalsallowedtoretrievemanagedpassword

  • #68749


    Hi Jones,

    Thank you for getting back to me and responding to my thread, will try the link in your post and to see how I get on. Lastly I will remember to take a snapshot in my test VM before attempting to create and to remove a Group Managed Service Account and thank you for all your explanations, will take those on board too.



You must be logged in to reply to this topic.