HOWTO : Create gMSA user account

1 Flares 1 Flares ×

In last post I wrote few words about MSA and gMSA and in this post I’d like to show you how to make use of gMSA using Powershell of course :).

My test environment is

DS-DC-01 – Windows Server 2012 domain controller
SC-DB-01 – Windows Server 2012 machine for SCCM SQL database
SC-DB-02 – Windows Server 2012 for extending SQL to a cluster.

I will create five gMSA accounts, four of them I will use for SQL installation later on and one for the task scheduling. Account names will be : svc_SQL, svc_SQLRS, svc_SQLSA, svc_SQLBrowser and svc_TS.

So for the start I need to install Powershell cmdlets.

First I need to create a Key Distribution Services KDS Root Key. The manual for that can be found on technet site.

So now I’m ready to create a new gMSA, but in fact I’m not. To create a gMSA account, one need to run command

And then the following error comes
It’s because domain controllers are waiting up to 10 hours from creating the key, to allow DC to assemble replication and 10 hours is safe time to achive that, so even if there is only one DC one need to wait up to 10 hourse.

So for the testing purposes I will use the second command from the technet article to generate KDS root key

Now I’m able to create first gMSA account with New-ADServiceAccount command.
The command has run without any errors this time and in the Active Directory Users and Computers console, under the Managed Service Accounts container, ny new gMSA accounts are created


The next step is to bind the service account to one or more computers. In my example I will bind svc_TS account to server : SC-DB-01 with following command

The command adds one or more service accounts to the Active Directory computer object. In fact it modifies the msDS-HostServiceAccount attribute of AD computer object.

Now the last thing, which has to be executed on the computer where service account will be used. Last step is installation of gMSA on target computer(s). To do that, on target machine AD powershell cmdlets have to be installed. so again  Install-WindowsFeature RSAT-ADDS  need to be run, but this time on target computer.

So now, I’m ready to install the gMSA account on target computer and use it. It’s being done with following command

And ups … I’ve got another error :

and I did it on purpose, during the creation of gMSA account I didn’t specify the computers which are allowed to receive password for this account so the command for creation of gMSA should look like this

but my account already exists, so I will use the  Set-ADServiceAccount command

Now  Install-ADServiceAccount will run without any errors and gMSA account I created is ready for use.

So the last step is to change a user in the service or in the Scheduled task to the newly created gMSA user.


1 Flares LinkedIn 0 Google+ 0 Facebook 0 Twitter 1 1 Flares ×

Leave a Reply

Your email address will not be published. Required fields are marked *