Group Managed Service Accounts
Security information
This tutorial only shows the general procedure. Depending on the company structure, an appropriate authorisation concept must be planned in advance. Important questions that should be clarified in advance:
- How should authorisations be assigned (group authorisations, individual authorisations)?
- How do we structure our gMSA accounts (per server, per service, etc.)?
Preparations
Create root key on the DC:
Add-KdsRootKey -EffectiveImmediately
Then wait 10 hours to ensure that the replication is complete.
gMSA account
Create
On the DC:
New-ADServiceAccount -Name <ACCOUNTNAME> -DNSHostName <ACCOUNTNAME>.<DOMAIN>.<TLD> -PrincipalsAllowedToRetrieveManagedPassword <COMPUTERNAME>$
test
On the target system:
Test-ADServiceAccount <ACCOUNTNAME>
If successful, the console reports True
For errors on the target system
The RSAT tools may need to be activated. Statement from Microsoft on this:
As of the October 2018 Windows 10 update, RSAT is included as a collection of features on demand in Windows 10 itself. Instead of downloading an RSAT package, you can now simply navigate to Manage optional features under Settings and click Add feature to see the list of available RSAT tools. Select the desired RSAT tools and install them. To view the installation progress, click the Back button to view the status on the Manage Optional Features page.
https://learn.microsoft.com/de-de/windows-server/remote/remote-server-administration-tools
If the RSAT tools are activated, the ActiveDirectory module must be imported:
import-module ActiveDirectory
Authorisations
The authorisations can now be assigned as required. Either by assigning a security group in AD, or as a local administrator on the target system.
Services
Services can now be provided with this user. To do this, simply open the service console and open the properties of the corresponding service:
Log in
Open tab- Select
This account
<ACCOUNTNAME>
from the domainPassword
Empty fields- Confirm dialogue
Task planning
To execute a task in the context of the gMSA account, this task must be customised using the command line
schtasks /Change /TN "<AUFGABENNAME>" /RU "<DOMAIN>.<TLD>\<ACCOUNTNAME>$" /RP ""
It may be necessary to grant the account the right to log in as a batch processing task:
Change authorisations
Services
PowerShell 7 is required
PS C:\Users\PSY> $creds = Get-Credential PowerShell credential request Enter your credentials. User: DOMAIN\PSY Password for user DOMAIN\PSY: ***************** PS C:\Users\PSY> Set-Service -name "Service" -Credential $creds
Delete gMSA account
When deleting a gMSA account, it is important that the assignments and authorisations are also removed. To do this, proceed as follows:
- Check host assignment
- Cancel assignment
- Check group membership
- Delete group membership
- Delete gMSA account from AD
Check host assignment
Get-ADServiceAccount -Identity <ACCOUNTNAME> -Properties PrincipalsAllowedToRetrieveManagedPassword
Cancel assignment
Set-ADServiceAccount <ACCOUNTNAME> -PrincipalsAllowedToRetrieveManagedPassword $NULL -PassThru Test-ADServiceAccount <ACCOUNTNAME>$
Check group membership
$ADGroup = (Get-ADServiceAccount -Identity <ACCOUNTNAME>$ -Properties MemberOf).MemberOf $ADGroup | Get-ADGroup | Select-Object Name
Delete group membership
Remove-ADPrincipalGroupMembership <ACCOUNTNAME>$ -MemberOf $ADGroup
Delete gMSA account from AD
Remove-ADServiceAccount -Identity <ACCOUNTNAME> Get-ADServiceAccount -Identity <ACCOUNTNAME>
Sources: