active-directorypowershell
Is there a way to list the current list of all the groups and/or hosts in the PrincipalsAllowedToRetrieveManagedPassword property of a gMSA (group Managed Service Account)?
There isn't any help on the "Getting Started" page, what is more their examples are returning errors and are not very clear.
Commonly domain user accounts are used as service accounts.
Yes, and no. Domain user accounts are commonly used as service logon accounts. This specific use of user accounts is not really the same as a Managed Service Account.
Anyways, the Managed Service Account object class does in fact have a userPrincipalName, but it doesn't seem to get populated by default when you create a new managed service account.
The New-ADServiceAccount cmdlet accepts a parameter called OtherAttributes which allows you to set account attributes by LDAP Display Name:
New-ADServiceAccount -Name longName -sAMAccountName truncname -OtherAttributes @{'userPrincipalName'="longname@my.upn.suffix.com"}
Yes, Group Managed Service Accounts can indeed be granted "Log on as a batch job" and "Log on as a service" rights, among others.
From the MS PFE blog:
In fact just go ahead and check out the entire post:
Make sure you're specifying the dollar sign in the name as shown.
Best Answer
It turns out that you can list all the properties for gMSA by running:
And if you want to narrow down the list you can use:
It's not very readable, since it's a list of distinguished names and has several other properties listed, but it's a useful command.
Update: to show all the entries from this properties you can use this command, which is shorter and easier to handle that what @Gregory posted
You can select specific property, instead of the wildcard *, to decrease the data flowing over the network, but the line becomes prohibitively long due to the verbose name of the property.