Group Managed Service Accounts - Install-ADServiceAccount returns "Access Denied"
-
Tuesday, June 19, 2012 11:54 PM
I am playing around with the Group Managed Service Accounts. I skipped MSA from Windows Server 2008 R2 since the single-computer limitation made it's value fairly low. Anyway, the 2012 RC documentation is still not really there and most is links to 2008R2 documents, so I may be doing this incorrectly.
Before Install-ADServiceAccount (on the local computer)
- I set up the KDS root key and it has replicated
- I ran New-ADServiceAccount and Add-ADComputerServiceAccount to create and assign a gMSA
- User account has FULL CONTROL of the gMSA object (even tried removing accidental deletion protection)
Looking through logs on the DCs, I see:
- Directory Access successes from the user account I am using - reading the gMSA object
- No Directory Access failures are recorded - auditing is on for all accesses to the gMSA object
- Privilege Use failures for the computer account to use seBackupPrivilege
There is nothing in logs on the local machine that I could find and the error message says WriteError: (<gMSA account>:String)
All Replies
-
Thursday, June 21, 2012 9:06 AMModerator
Hi,
Did you use administrator to perform the steps to group managed service accounts?
Please refer to the following Microsoft TechNet article for more information:
Getting Started with Group Managed Service Accounts
http://technet.microsoft.com/en-us/library/jj128431.aspx
Regards,
Arthur Li
TechNet Community Support
- Marked As Answer by Ross Wilper Friday, June 22, 2012 4:17 PM
-
Friday, June 22, 2012 4:17 PM
Thanks for the link - in my searches I had not found any guidance on how to to this correctly in 2012, only in 2008R2
My error was in using 'Add-ADComputerServiceAccount' instead of 'Set-ADServiceAccount'. When I used the latter, everything just worked. Install-ADServiveAccount was not needed.
- Marked As Answer by Ross Wilper Friday, June 22, 2012 4:17 PM
-
Wednesday, June 27, 2012 10:10 PMI had some trouble getting MSAs and group MSAs to work via Powershell as well, so I've started writing a GUI for creating and managing them (it should be released next week and will be completely free). More info and screenshots on my blog here for anyone who's interested: Cjwdev Managed Service Accounts GUI
My website (free apps I've written for IT Pro's) : www.cjwdev.co.uk My blog: cjwdev.wordpress.com
-
Tuesday, September 04, 2012 11:20 AM
Set-ADServiceAccount with what parameter ?
Thanks
-
Tuesday, September 04, 2012 11:25 AM
Install-ADServiceAccount doesn't work... access denied message returns
Do you have the workaround ?
-
Wednesday, September 05, 2012 12:03 AM
Creating a Group Managed Service Account
New-ADServiceAccount [-Name] <string> -DNSHostName
<string> [-KerberosEncryptionType <ADKerberosEncryptionType>]
[-ManagedPasswordIntervalInDays <Nullable[Int32]>]
[-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>]
-SamAccountName <string> -ServicePrincipalNames <string[]>-
-Name => Required - Account Name (a '$' is automatically appended)
-
-DNSHostName => Required - Determines SPNs that the gMSA will own
-
-PrincipalsAllowedToRetrieveManagedPassword => Group or account allowed
to get the password from KDS -
-Path => Not listed above - Specifies the path to the container to add
the account into. Default is "CN=Managed Service Accounts,DC=X"
Modifying a Group Managed Service Account
Get-ADServiceAccount [-Name] <string>
-PrincipalsAllowedToRetrieveManagedPasswordSet-ADServiceAccount [-Name] <string>
-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>- Both take most of the same parameters as New-ADServiceAccount
- Set-ADServiceAccount -PrinciaplsAllowedToRetrieveManagedPassword will reset
the current value to the new list each time it is run
-
-
Saturday, December 01, 2012 11:54 PMRoss, can you share the full command of what you used for 'Set-ADServiceAccount'?
.png)
