none
AGPM with GMSA

    Question

  • Will Advanced Group policy management  (AGPM) work with Group managed service account?  I have a windows 2012 domain controller, where I want to install AGPM server.And AGPM client to another Windows 2012 DC using group managed service account.Not normal service account mentioned in AGPM document. I tried to follow the instructions in  technet blog.But AGPM service will not start back as in Step 16.   Also I have to mention that, AGPM installation document says not to change logon account details from Administrative tools/services .  Any help will be appreciated.Thanks-RV 

    Monday, April 10, 2017 8:48 AM

All replies

  • Hi,

    Please check if the below information helps.

    The AGPM Service will not start

    • Cause: You have modified settings for the AGPM Service in the operating system under Administrative Tools and Services.
    • Solution: Modify the settings for Microsoft Advanced Group Policy Management - Server under Programs and Features in Control Panel. For more information, see Modify the AGPM Service.

    Troubleshooting AGPM

    https://technet.microsoft.com/en-us/itpro/mdop/agpm/troubleshooting-agpm-agpm40#bkmk-not-start

    One similar thread for your reference:

    How can I run an AGPM Service with a MSA account? (Windows 2008R2 domain and forest functional level)

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/7c804200-29ad-4de4-8ffc-f7e2539e7cc4/how-can-i-run-an-agpm-service-with-a-msa-account-windows-2008r2-domain-and-forest-functional?forum=winserverGP

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 11, 2017 7:24 AM
    Moderator
  • Thanks Alvin.  I have tried to modify the settings from  Microsoft Advanced Group Policy Management - Server under Programs and Features in Control Panel. But this method will not give me an option to add GMSA as the credential. Normal service account can be changed this way. But not GMSA.

    It do give option to change logon credential to GMSA under administrative tools/Services. I have done the same using powershell commands with same problem as service not starting back. the blog reference i used is 

    https://blogs.technet.microsoft.com/craigf/2015/06/24/running-agpm-with-a-managed-service-account-msa-or-gmsa/

    I have set the SPN part too. :(

     Regards

    RV


    • Edited by RV_RV_RV Tuesday, April 11, 2017 8:30 AM
    Tuesday, April 11, 2017 8:07 AM
  • Hi,

    I recommend you to double-confirm the requirements for the AGPM Service.

    1. The AGPM Service account requires full access to the AGPM archive folder.

    2. The AGPM Service account requires full access to the local computer’s temp folder (%systemroot%\temp).

    3. Full access to GPOs created prior to using AGPM.

    4. The AGPM Service account must be a member of the Group Policy Creator Owners and Backup Operators Group.

    If issue persists, please click Start, type "%userprofile%\local settings\temp", press Enter. Check AGPM installation log "Agpmmsi.log" to find some clues.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 14, 2017 1:06 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, April 23, 2017 2:38 AM
    Moderator