Group Managed Service Accounts

Approved 2024/02/05 08:30 by psycore (version: 2) | Approver: psycore

Group Managed Service Accounts

Security information

This tutorial only shows the general procedure. Depending on the company structure, an appropriate authorisation concept must be planned in advance. Important questions that should be clarified in advance:

  • How should authorisations be assigned (group authorisations, individual authorisations)?
  • How do we structure our gMSA accounts (per server, per service, etc.)?

Preparations

Create root key on the DC:

Add-KdsRootKey -EffectiveImmediately

Then wait 10 hours to ensure that the replication is complete.

gMSA account

Create

On the DC:

New-ADServiceAccount -Name <ACCOUNTNAME> -DNSHostName <ACCOUNTNAME>.<DOMAIN>.<TLD> -PrincipalsAllowedToRetrieveManagedPassword <COMPUTERNAME>$

test

On the target system:

Test-ADServiceAccount <ACCOUNTNAME>

If successful, the console reports True

For errors on the target system

The RSAT tools may need to be activated. Statement from Microsoft on this:

As of the October 2018 Windows 10 update, RSAT is included as a collection of features on demand in Windows 10 itself. Instead of downloading an RSAT package, you can now simply navigate to Manage optional features under Settings and click Add feature to see the list of available RSAT tools. Select the desired RSAT tools and install them. To view the installation progress, click the Back button to view the status on the Manage Optional Features page.

https://learn.microsoft.com/de-de/windows-server/remote/remote-server-administration-tools

If the RSAT tools are activated, the ActiveDirectory module must be imported:

import-module ActiveDirectory

Authorisations

The authorisations can now be assigned as required. Either by assigning a security group in AD, or as a local administrator on the target system.

Services

Services can now be provided with this user. To do this, simply open the service console and open the properties of the corresponding service:

  • Log in Open tab
  • Select This account
  • <ACCOUNTNAME> from the domain
  • Password Empty fields
  • Confirm dialogue

Task planning

To execute a task in the context of the gMSA account, this task must be customised using the command line

schtasks /Change /TN "<AUFGABENNAME>" /RU "<DOMAIN>.<TLD>\<ACCOUNTNAME>$" /RP ""

It may be necessary to grant the account the right to log in as a batch processing task:

Change authorisations

Services

PowerShell 7 is required

PS C:\Users\PSY> $creds = Get-Credential
 
PowerShell credential request
Enter your credentials.
User: DOMAIN\PSY
Password for user DOMAIN\PSY: *****************
 
PS C:\Users\PSY> Set-Service -name "Service" -Credential $creds

Delete gMSA account

When deleting a gMSA account, it is important that the assignments and authorisations are also removed. To do this, proceed as follows:

  • Check host assignment
  • Cancel assignment
  • Check group membership
  • Delete group membership
  • Delete gMSA account from AD

Check host assignment

Get-ADServiceAccount -Identity <ACCOUNTNAME> -Properties PrincipalsAllowedToRetrieveManagedPassword

Cancel assignment

Set-ADServiceAccount <ACCOUNTNAME> -PrincipalsAllowedToRetrieveManagedPassword $NULL -PassThru
Test-ADServiceAccount <ACCOUNTNAME>$

Check group membership

$ADGroup = (Get-ADServiceAccount -Identity <ACCOUNTNAME>$ -Properties MemberOf).MemberOf
$ADGroup | Get-ADGroup | Select-Object Name

Delete group membership

Remove-ADPrincipalGroupMembership <ACCOUNTNAME>$ -MemberOf $ADGroup

Delete gMSA account from AD

en/it-security/gmsa.txt ยท Last modified: 2024/02/05 08:30
CC Attribution-Noncommercial-Share Alike 4.0 International