After having successfully created a Group Managed Service Account (gMSA) using the command below:
add-adserviceaccount -name gmsaAccount -PrincipalsAllowedToDelegateToAccount gmsaGroup -DNSHostName gmsaAccount.test.local
I am having trouble to have this account installed on the targeted hosts (members of gmsaGroup group). I wonder if the problem is not related to the hosts associated with the service account.
Is there a way (powershell command?) to verify which hosts are associated and authorized with a group managed service account.
I tried get-adserviceaccount -identity gmsaAccount | fl *
but nothing related to hosts or principalsAllowedToDelegateToAccount
is displayed.
For information, when i try to run the install-adserviceaccount
on a target Windows2012R2 host, i get a useless "unknown error" message (no error code).
Best Answer
The cmdlet to create a new gMSA is "New-ADServiceAccount" not "Add-ADServiceAccount"
Process overview http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx