Configure and manage Active Directory - Administering Windows Server 2012 R2

Information Technology Reference

In-Depth Information

To create a gMSA, you need to use the New-ADServiceAccount cmdlet. For a gMSA, you

need to specify the -Name parameter and the -DNSHostName parameter at a minimum. For

example:

New-ADServiceAccount -Name ServiceAccount1 -DNSHostName ServiceAccount1.treyresearch.net

The list of available options you can specify when creating a gMSA is long. For full details,

see http://go.microsoft.com/fwlink/p/?linkid=291076 . You can also use an existing gMSA as a

template to create a new gMSA, setting only the changed properties for the new instance of

the gMSA. For example:

$svcAcct1 = Get-ADServiceAccout -Identity ServiceAccount1

New-ADServiceAccount -Name SvcAcct2 `

-DNSHostName SvcAcct2.treyresearch.net `

-PrincipalsAllowedToDelegateToAccount "Domain Controllers" `

-Instance $svcAcct1

Installing a gMSA

You install a gMSA on a host just as you install an MSA on a host: with the

Install-ADServiceAccount cmdlet. Before you can install a gMSA on a host, however, you need

to set the -PrincipalsAllowedToRetrieveManagedPassword value for the gMSA to include the

host. This process is usually done by adding the hosts that will be allowed to install the gMSA

to a security group and then using the Set-ADServiceAccount cmdlet. So, for example:

Set-ADServiceAccount -Identity $svcAcct1 `

-PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers"

Install-ADServiceAccount -Identity #svcAcct1

You can test whether the gMSA has successfully been installed to the host with the

Test-ADServiceAccount cmdlet:

Test-ADServiceAccount ServiceAccount1

Test-ADServiceAccount returns $True if the gMSA has been installed, and returns $False if

it is not installed on the host.

Using a gMSa to run a scheduled task

One of the useful improvements of Group Managed Service Accounts as compared with

stand-alone Managed Service Accounts is the ability to use the account to run a scheduled

task. You can run the task with administrative privileges without creating an account that

needs to be managed. So, for example, you can use the gMSA to run a routine backup task:

$bkAction = New-ScheduledTaskAction \\server\scriptshare\backup.ps1

$bkTrigger = New-ScheduledTaskTrigger -At 21:00 -Weekly -DaysOfWeek Friday

$bkAcct = NewScheduledTaskPrincipal -UserID ServiceAccount1$ -LogonType Password

Search WWH ::

Custom Search

Home