TechShizz | Group Managed Service Accounts

Group Managed Service Accounts

#Create KDC root Key (This command takes 10 hours to take effect)

 

Add-KDSRootKey -EffectiveImmediatly

#Install a Group Managed Service Account and configure it to work with the "Web Servers" group and a DNS CNAME which resolves to all machines.

New-ADSeriveAccount -Name GroupMSAAccount -DNSHostName WebClusterA.mydomain.local -PrincipalAllowedToRetrieveManagedPassword "Web Servers"

#Target machines need the RSAT-AD-PowerShell feature instralled

Invoke-Command -ComputerName Web01,Web02,Web03 -ScriptBlock { Install-WindowsFeature RSAT-AD-PowerShell }

#Install the GMSA

Install-ADServiceAccount GroupMSAAccount

#On the target server

Install-ADServiceAccount GroupMSAAccount

Test-ADServiceAccount -Identity GroupMSAAccount

Go to your service you wish to run on a service account, on the logon tab, set the credentials for the service as a network account. Use the browse button to find your MSA (You'll need to change the location to the domain to find the account instead of the local machine. Remove the pre-populated password from the fields and save.

Add comment