none
Group Managed Service Accounts - Install-ADServiceAccount returns "Access Denied"

    Question

  • I am playing around with the Group Managed Service Accounts. I skipped MSA from Windows Server 2008 R2 since the single-computer limitation made it's value fairly low. Anyway, the 2012 RC documentation is still not really there and most is links to 2008R2 documents, so I may be doing this incorrectly.

    Before Install-ADServiceAccount (on the local computer)

    • I set up the KDS root key and it has replicated
    • I ran New-ADServiceAccount and Add-ADComputerServiceAccount to create and assign a gMSA
    • User account has FULL CONTROL of the gMSA object (even tried removing accidental deletion protection)

    Looking through logs on the DCs, I see:

    • Directory Access successes from the user account I am using - reading the gMSA object
    • No Directory Access failures are recorded - auditing is on for all accesses to the gMSA object
    • Privilege Use failures for the computer account to use seBackupPrivilege  

    There is nothing in logs on the local machine that I could find and the error message says WriteError: (<gMSA account>:String)

    Tuesday, June 19, 2012 11:54 PM

Answers

  • Hi,

    Did you use administrator to perform the steps to group managed service accounts?

    Please refer to the following Microsoft TechNet article for more information:

    Getting Started with Group Managed Service Accounts

    http://technet.microsoft.com/en-us/library/jj128431.aspx

    Regards,


    Arthur Li

    TechNet Community Support

    • Marked as answer by Ross Wilper Friday, June 22, 2012 4:17 PM
    Thursday, June 21, 2012 9:06 AM
  • Thanks for the link - in my searches I had not found any guidance on how to to this correctly in 2012, only in 2008R2

    My error was in using 'Add-ADComputerServiceAccount' instead of 'Set-ADServiceAccount'. When I used the latter, everything just worked. Install-ADServiveAccount was not needed.

    • Marked as answer by Ross Wilper Friday, June 22, 2012 4:17 PM
    Friday, June 22, 2012 4:17 PM

All replies

  • Hi,

    Did you use administrator to perform the steps to group managed service accounts?

    Please refer to the following Microsoft TechNet article for more information:

    Getting Started with Group Managed Service Accounts

    http://technet.microsoft.com/en-us/library/jj128431.aspx

    Regards,


    Arthur Li

    TechNet Community Support

    • Marked as answer by Ross Wilper Friday, June 22, 2012 4:17 PM
    Thursday, June 21, 2012 9:06 AM
  • Thanks for the link - in my searches I had not found any guidance on how to to this correctly in 2012, only in 2008R2

    My error was in using 'Add-ADComputerServiceAccount' instead of 'Set-ADServiceAccount'. When I used the latter, everything just worked. Install-ADServiveAccount was not needed.

    • Marked as answer by Ross Wilper Friday, June 22, 2012 4:17 PM
    Friday, June 22, 2012 4:17 PM
  • I had some trouble getting MSAs and group MSAs to work via Powershell as well, so I've started writing a GUI for creating and managing them (it should be released next week and will be completely free). More info and screenshots on my blog here for anyone who's interested: Cjwdev Managed Service Accounts GUI

    My website (free apps I've written for IT Pro's) : www.cjwdev.co.uk My blog: cjwdev.wordpress.com

    • Proposed as answer by R.Alikhani Tuesday, April 15, 2014 3:18 AM
    Wednesday, June 27, 2012 10:10 PM
  • Set-ADServiceAccount with what parameter ?

    Thanks

    Tuesday, September 04, 2012 11:20 AM
  • Install-ADServiceAccount doesn't work... access denied message returns

    Do you have the workaround ?

    Tuesday, September 04, 2012 11:25 AM
  • Creating a Group Managed Service Account

    New-ADServiceAccount [-Name] <string> -DNSHostName
    <string> [-KerberosEncryptionType <ADKerberosEncryptionType>]
    [-ManagedPasswordIntervalInDays <Nullable[Int32]>]
    [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>]
    -SamAccountName <string> -ServicePrincipalNames <string[]>

    • -Name => Required - Account Name (a '$' is automatically appended)
    • -DNSHostName => Required - Determines SPNs that the gMSA will own
    • -PrincipalsAllowedToRetrieveManagedPassword => Group or account allowed
      to get the password from KDS
    • -Path => Not listed above - Specifies the path to the container to add
      the account into. Default is "CN=Managed Service Accounts,DC=X"

    http://technet.microsoft.com/en-us/library/jj128431.aspx

    Modifying a Group Managed Service Account

    Get-ADServiceAccount [-Name] <string>
    -PrincipalsAllowedToRetrieveManagedPassword

    Set-ADServiceAccount [-Name] <string>
    -PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>

    • Both take most of the same parameters as New-ADServiceAccount
    • Set-ADServiceAccount -PrinciaplsAllowedToRetrieveManagedPassword will reset
      the current value to the new list each time it is run
    Wednesday, September 05, 2012 12:03 AM
  • Ross, can you share the full command of what you used for 'Set-ADServiceAccount'?
    Saturday, December 01, 2012 11:54 PM
  • Ross, can you share the full command of what you used for 'Set-ADServiceAccount'?

    Set-ADServiceAccount TestgMSA -PrincipalsAllowedToRetrieveManagedPassword SRV01$

    Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 15, 2014 3:24 AM