Group Managed Service Accounts

This tutorial only shows the general procedure. Depending on the company structure, an appropriate authorisation concept must be planned in advance. Important questions that should be clarified in advance:

• How should authorisations be assigned (group authorisations, individual authorisations)?
• How do we structure our gMSA accounts (per server, per service, etc.)?

Create root key on the DC:

Add-KdsRootKey -EffectiveImmediately

Then wait 10 hours to ensure that the replication is complete.

On the DC:

New-ADServiceAccount -Name <ACCOUNTNAME> -DNSHostName <ACCOUNTNAME>.<DOMAIN>.<TLD> -PrincipalsAllowedToRetrieveManagedPassword <COMPUTERNAME>$

On the target system:

Test-ADServiceAccount <ACCOUNTNAME>

If successful, the console reports True

The RSAT tools may need to be activated. Statement from Microsoft on this:

As of the October 2018 Windows 10 update, RSAT is included as a collection of features on demand in Windows 10 itself. Instead of downloading an RSAT package, you can now simply navigate to Manage optional features under Settings and click Add feature to see the list of available RSAT tools. Select the desired RSAT tools and install them. To view the installation progress, click the Back button to view the status on the Manage Optional Features page.

^{https://learn.microsoft.com/de-de/windows-server/remote/remote-server-administration-tools}

If the RSAT tools are activated, the ActiveDirectory module must be imported:

import-module ActiveDirectory

The authorisations can now be assigned as required. Either by assigning a security group in AD, or as a local administrator on the target system.

Services can now be provided with this user. To do this, simply open the service console and open the properties of the corresponding service:

• Log in Open tab
• Select This account
• <ACCOUNTNAME> from the domain
• Password Empty fields
• Confirm dialogue

To execute a task in the context of the gMSA account, this task must be customised using the command line

schtasks /Change /TN "<AUFGABENNAME>" /RU "<DOMAIN>.<TLD>\<ACCOUNTNAME>$" /RP ""

It may be necessary to grant the account the right to log in as a batch processing task:

PowerShell 7 is required

PS C:\Users\PSY> $creds = Get-Credential
 
PowerShell credential request
Enter your credentials.
User: DOMAIN\PSY
Password for user DOMAIN\PSY: *****************
 
PS C:\Users\PSY> Set-Service -name "Service" -Credential $creds

When deleting a gMSA account, it is important that the assignments and authorisations are also removed. To do this, proceed as follows:

• Check host assignment
• Cancel assignment
• Check group membership
• Delete group membership
• Delete gMSA account from AD

Get-ADServiceAccount -Identity <ACCOUNTNAME> -Properties PrincipalsAllowedToRetrieveManagedPassword

Set-ADServiceAccount <ACCOUNTNAME> -PrincipalsAllowedToRetrieveManagedPassword $NULL -PassThru
Test-ADServiceAccount <ACCOUNTNAME>$

$ADGroup = (Get-ADServiceAccount -Identity <ACCOUNTNAME>$ -Properties MemberOf).MemberOf
$ADGroup | Get-ADGroup | Select-Object Name

Remove-ADPrincipalGroupMembership <ACCOUNTNAME>$ -MemberOf $ADGroup

Remove-ADServiceAccount -Identity <ACCOUNTNAME>
Get-ADServiceAccount -Identity <ACCOUNTNAME>

Sources:

• https://www.frankysweb.de/group-managed-service-accounts-gmsa-fuer-tasks-und-dienste/
• https://www.der-windows-papst.de/2022/03/11/uninstall-group-managed-service-account/