Created: 10-22-21
Updated: 10-22-21
A often unused function of Windows server is a gMSA Service Account. Group managed service accounts (gMSAs) are managed domain accounts that you use to help secure services. gMSAs can run on a single server or on a server farm, such as systems behind a network load balancing or Internet Information Services (IIS) server. After you configure your services to use a gMSA principal, password management for that account is handled by the Windows operating system instead of by the human.
This is a list of possible gMSA PowerShell commands:
Get-ADServiceAccount
Install-ADServiceAccount
New-ADServiceAccount
Remove-ADServiceAccount
Set-ADServiceAccount
Test-ADServiceAccount
Uninstall-ADServiceAccount
Below is how to setup a gMSA Service Account:
-
- On your domain controller, open up a PowerShell as administrator:
-
type “import-module activedirectory”
-
type “Add-KdsRootKey -EffectiveImmediately”
-
type “New-ADServiceAccount -Name gMSAService1 -Description “Group Managed Service Account for a services or application credential” –DNSHostName gMSAService1.domain.suffix -PrincipalsAllowedToRetrieveManagedPassword <your domain controller name your running this from>$ -Passthru”
-
type “Set-ADServiceAccount -Identity gMSAService1 -PrincipalsAllowedToRetrieveManagedPassword <server-you-want-the-gMSA-to-be-used-on>$,<another-server-you-want-to-use>$,etc$
-
- On your domain controller, open up a PowerShell as administrator:
-
- On your Server-you-want-the-gMSA-to-be-used-on, open up a PowerShell as administrator:
-
type “Install-ADServiceAccount -Identity gMSAService1”
-
- On your Server-you-want-the-gMSA-to-be-used-on, open up a PowerShell as administrator:
To return all sMSAs and gMSAs in the Active Directory domain, run the following PowerShell command:
Get-ADServiceAccount -Filter *
To return only sMSAs in the Active Directory domain, run the following command:
Get-ADServiceAccount -Filter * | where { $_.objectClass -eq "msDS-ManagedServiceAccount" }