An Engineers Notebook

Group Managed Service Accounts

#Create KDC root Key (This command takes 10 hours to take effect)


Add-KDSRootKey -EffectiveImmediatly
#Install a Group Managed Service Account and configure it to work with the "Web Servers" group and a DNS CNAME which resolves to all machines.
New-ADSeriveAccount -Name GroupMSAAccount -DNSHostName WebClusterA.mydomain.local -PrincipalAllowedToRetrieveManagedPassword "Web Servers"
#Target machines need the RSAT-AD-PowerShell feature instralled
Invoke-Command -ComputerName Web01,Web02,Web03 -ScriptBlock { Install-WindowsFeature RSAT-AD-PowerShell }
#Install the GMSA
Install-ADServiceAccount GroupMSAAccount
#On the target server
Install-ADServiceAccount GroupMSAAccount
Test-ADServiceAccount -Identity GroupMSAAccount

Go to your service you wish to run on a service account, on the logon tab, set the credentials for the service as a network account. Use the browse button to find your MSA (You’ll need to change the location to the domain to find the account instead of the local machine. Remove the pre-populated password from the fields and save.

Leave a Reply

Your email address will not be published.