Active Directory – Install Service Account Remotely to Multiple Servers

active-directorymanaged-service-accountspowershell

We have a new process I'm trying to implement, part one of my task basically is change the local administrator password every month and update the password vault with the new password for the administrator team. – this part of my PowerShell script is fine.

We also are going to use managed service accounts, I will use a managed service account to run my PowerShell script to change the password on every server remotely. – this is my problem.

To use the service account like this I'm creating a group to place servers in
then creating a service account linking it:

New-ADServiceAccount -Name "serviceaccount" -DNSHostName "serviceaccount.domain.com" -Path "OU=ServiceAccounts,DC=domain,DC=com" -PrincipalsAllowedToRetrieveManagedPassword "gMSA-ServerGroup"

This is all great… but to install on every server 0_o remotely doesn't work with this command:
Install-ADServiceAccount -Identity "serviceaccount"

Unless I am logged into the server that requires it, I have tested this, Open PowerShell and run the command, no error tested and perfect!.

This doesn't work:

Invoke-Command -ComputerName $server -Credential $credentials -ScriptBlock {
 #try to install service account
 Install-ADServiceAccount -Identity "serviceaccount"
}

Anyone have this problem ?

Can I do it a different way, maybe through Group Policy.

Server OS varies: 2008, 2012 and 2016

Best Answer

I highly recommend using Microsoft's own solution, LAPS, to manage local Admin passwords.

It's basically a group policy extension that changes the passwords and stores them in a hashed attribute on the Computer account in AD. You use your normal AD tools, including Powershell, to manage it. There's a little GUI tool that can be installed anywhere (such as a management computer).

No service account required, but you need to install a DLL on the client machines and do a bit of (simple) tweaking of AD permissions.

More info and download here. The download package has a deployment guide in it.

Related Solutions

Group Managed Service Account (gMSA): get authorized hosts / install-adserviceaccount unknown error

Do you have at least one 2012 DC?
Did you prep the domain with Add-KDSRootKey?
After you added the computers to gmsaGroup, were they rebooted to get a new token that reflects the new group membership?
When you create the account, I think you need to use "PrincipalsAllowedToRetrieveManagedPassword" instead of "PrincipalsAllowedToDelegateToAccount"

The cmdlet to create a new gMSA is "New-ADServiceAccount" not "Add-ADServiceAccount"

Process overview http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

Group Managed Service Accounts: -PrincipalsAllowedToRetrieveManagedPassword

Setting the -PrincipalsAllowedToRetrieveManagedPassword restricts the use of Install-ADServiceAccount, which is another step that must happen before you're able to use the gMSA. Once the gMSA is installed, the service will start regardless the PrincipalsAllowed setting until the managed password changes.

Any computer using the gMSA that is not included in the PrincipalsAllowed entities will not be able to change the managed password, nor will it be able to retrieve a managed password from the domain after it was changed. If the gMSA managed password was changed by a computer that has the privileges to do so, that will cause logon failures for services running on computers that are not in the PrincipalsAllowed entities.

You must ensure that every computer running services using a particular gMSA is included in the PrincipalsAllowed entities for that gMSA, or it will cause problems with starting/restarting services down the line (a month later, as the default managed password changes are scheduled at 30 days).

https://technet.microsoft.com/en-us/library/hh852196%28v=wps.630%29.aspx

Notes To successfully install a managed service account, the service account should have the PrincipalsAllowedToRetrieveManagedPassword parameter option set first by using either the New-ADServiceAccount or Set-ADServiceAccount cmdlet first. Otherwise, installation will fail.

E.g.

# Running this on APPSERVER1

$appServer1 = Get-ADComputer APPSERVER1
$appServer2 = Get-ADComputer APPSERVER2

$gMSA = New-ADServiceAccount 'APP1' -PrincipalsAllowedToRetrieveManagedPassword $appServer2 -DnsHostName 'APP1'

Install-ADServiceAccount 'APP1'
Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount 'APP1'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (APP1:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount

Set-ADServiceAccount 'APP1' -PrincipalsAllowedToRetrieveManagedPassword $appServer1

Install-ADServiceAccount 'APP1'

The last command will now succeed. Once you configure the service credentials, the service will start.

Set-ADServiceAccount 'APP1' -PrincipalsAllowedToRetrieveManagedPassword $appServer2

Now, restarting the service will still work. However, if you perform an Uninstall-ADServiceAccount and then try to re-install it, you will get the same error shown above.

Starting the service will also fail with a logon failure if the password was changed by APPSERVER2 in the meantime.

Best Answer

Related Solutions

Group Managed Service Account (gMSA): get authorized hosts / install-adserviceaccount unknown error

Group Managed Service Accounts: -PrincipalsAllowedToRetrieveManagedPassword

Related Topic