Group Managed Service Account (gMSA): get authorized hosts / install-adserviceaccount unknown error

active-directorywindows-server-2012-r2

After having successfully created a Group Managed Service Account (gMSA) using the command below:

add-adserviceaccount -name gmsaAccount -PrincipalsAllowedToDelegateToAccount gmsaGroup -DNSHostName gmsaAccount.test.local

I am having trouble to have this account installed on the targeted hosts (members of gmsaGroup group). I wonder if the problem is not related to the hosts associated with the service account.

Is there a way (powershell command?) to verify which hosts are associated and authorized with a group managed service account.

I tried get-adserviceaccount -identity gmsaAccount | fl * but nothing related to hosts or principalsAllowedToDelegateToAccount is displayed.

For information, when i try to run the install-adserviceaccount on a target Windows2012R2 host, i get a useless "unknown error" message (no error code).

Best Answer

Do you have at least one 2012 DC?
Did you prep the domain with Add-KDSRootKey?
After you added the computers to gmsaGroup, were they rebooted to get a new token that reflects the new group membership?
When you create the account, I think you need to use "PrincipalsAllowedToRetrieveManagedPassword" instead of "PrincipalsAllowedToDelegateToAccount"

The cmdlet to create a new gMSA is "New-ADServiceAccount" not "Add-ADServiceAccount"

Process overview http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

Related Solutions

How to use long names to refer to Group Managed Service Accounts (gMSA)

Commonly domain user accounts are used as service accounts.

Yes, and no. Domain user accounts are commonly used as service logon accounts. This specific use of user accounts is not really the same as a Managed Service Account.

Anyways, the Managed Service Account object class does in fact have a userPrincipalName, but it doesn't seem to get populated by default when you create a new managed service account.

The New-ADServiceAccount cmdlet accepts a parameter called OtherAttributes which allows you to set account attributes by LDAP Display Name:

New-ADServiceAccount -Name longName -sAMAccountName truncname -OtherAttributes @{'userPrincipalName'="longname@my.upn.suffix.com"}

Powershell – List current Principals in group Managed Service Accounts

It turns out that you can list all the properties for gMSA by running:

Get-ADServiceAccount -Identity <gMSA-account> -Properties *

And if you want to narrow down the list you can use:

Get-ADServiceAccount -Identity <gMSA-account> -Properties PrincipalsAllowedToRetrieveManagedPassword

It's not very readable, since it's a list of distinguished names and has several other properties listed, but it's a useful command.

Update: to show all the entries from this properties you can use this command, which is shorter and easier to handle that what @Gregory posted

(Get-ADServiceAccount -Identity <gMSA-account> -Properties *).PrincipalsAllowedToRetrieveManagedPassword

You can select specific property, instead of the wildcard *, to decrease the data flowing over the network, but the line becomes prohibitively long due to the verbose name of the property.

Best Answer

Related Solutions

How to use long names to refer to Group Managed Service Accounts (gMSA)

Powershell – List current Principals in group Managed Service Accounts

Related Topic