none
Queries about creating Group Managed Service Account in Windows Server 2016

    Question

  • Hi all,

    This is more of a question than a problem but how come the following PowerShell command install-adserviceaccount -identity gmsatest doesn't work after specifying a group of devices to the Group Managed Service Account i.e. -principalsallowedtoretrievemanagedpassword "domain computers" rather than the individual devices i.e. -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$? Also why is it compulsory to use the $ sign after each device? Below are 2 ways in which I have tested the commands to create the same Group Managed Service Account using a virtual simulation including results of PowerShell.

    Method 1

    add-kdsrootkey -effectivetime ((get-date).addhours(-10))
    new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local 
    set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$
    install-adserviceaccount -identity gmsatest

    No problems

    Method 2

    add-kdsrootkey -effectivetime ((get-date).addhours(-10))
    new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local 
    set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword "Domain Computers"
    install-adserviceaccount -identity gmsatest

    install-adserviceaccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
    At line:1 char:1
    + install-adserviceaccount -identity gmsatest
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : WriteError: (gmsatest:String) [Install-ADServiceAccount], ADException
        + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
       irectory.Management.Commands.InstallADServiceAccount

    Problem in PowerShell but appears okay in Services Manager on each device?

    Lastly what is the safest way to remove a Group Managed Service Account? One time when I removed it from Active Directory Computers and Users it caused Active Directory Administrative Center to stop working whereas another time when I used remove-adserviceaccount -identity gmsatest in PowerShell it stopped my custom Group Policies in Group Policy Management to become uneditable.   

    Your support would be much appreciated as I am still learning.

    Kind regards,

    RocknRollTim

    • Moved by jrv Sunday, April 2, 2017 4:56 PM Better forum choice.
    Sunday, April 2, 2017 3:47 PM

Answers

  • I will note that "ServicePrincipalNames" can only take an array of principal names and not a group name.

    \_(ツ)_/

    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:54 PM
    Sunday, April 2, 2017 5:18 PM
  • #1)  The "$" is because you must use the SamAccountName which ends in a $.

    Get-AdComputer -Filter * | Select Name, SamAccountName

    "Name" is not an identity because it is not unique across a domain.

    #2) remove all usage of the account then delete it.


    \_(ツ)_/


    • Edited by jrv Sunday, April 2, 2017 5:45 PM
    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:54 PM
    Sunday, April 2, 2017 5:43 PM
  • Yes but you will have to assign a new account or whatever account the service requires.


    \_(ツ)_/

    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:54 PM
    Sunday, April 2, 2017 6:12 PM
  • Thinking about this I came up with the following:

    If you make a machine account a service account you are fundamentally changing the way that account works in the domain.  If you make a DC a machine account a service account you are fundamentally changing the role of the DC host in the domain.  I don't think Microsoft ever assumed anyone would try to do this.  What you are trying to do does not make any practical sense and may do damage to the domain.

    Why would you want to make a machine account a service account?  What can this accomplish.  A machine account is already a special account that manages its own password and has certain security protections applied.  Making it a service account clearly conflicts with the machines role and behavior.


    \_(ツ)_/

    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:55 PM
    Sunday, April 2, 2017 11:45 PM
    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:56 PM
    Sunday, April 16, 2017 4:43 PM

All replies

  • Your questions are really about how to use AD and not about how to write a scrip or about a script issue.  These questions would be better answered by the Directory Services group as they can work with you to help you understand how this is intended to work.

    I have moved this thread to the "Directory Services" forum.


    \_(ツ)_/


    • Edited by jrv Sunday, April 2, 2017 4:57 PM
    Sunday, April 2, 2017 4:55 PM
  • Hi jrv,

    Thank you for getting back to me and for moving my thread into the correct forum, touch wood I will have better luck in the Directory Services forum rather in the Windows Server General forum where I initially started this thread.

    Regards,

    RocknRollTim

    Sunday, April 2, 2017 5:00 PM
  • I will note that "ServicePrincipalNames" can only take an array of principal names and not a group name.

    \_(ツ)_/

    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:54 PM
    Sunday, April 2, 2017 5:18 PM
  • Thanks jrv, that answers one of my questions regarding the creation of Group Managed Service Accounts using PowerShell, however I still have another 2 questions outstanding and they are 1) Why is it compulsory to use the $ sign after each device and 2) What is the safest way to remove a Group Managed Service Account? Your continual support would be much appreciated.

    Kind regards,

    RocknRollTim
    Sunday, April 2, 2017 5:37 PM
  • #1)  The "$" is because you must use the SamAccountName which ends in a $.

    Get-AdComputer -Filter * | Select Name, SamAccountName

    "Name" is not an identity because it is not unique across a domain.

    #2) remove all usage of the account then delete it.


    \_(ツ)_/


    • Edited by jrv Sunday, April 2, 2017 5:45 PM
    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:54 PM
    Sunday, April 2, 2017 5:43 PM
  • That explains all jrv, thank you ever so much. With regards to point 2, do I just go to each machine and change each service that is using the Group Managed Service Account to Local Service Account and run the following command remove-adserviceaccount -identity gmsatest in PowerShell on the server where I initially created the Group Managed Service Account?  

    Kind regards,

    RocknRollTim

    Sunday, April 2, 2017 6:03 PM
  • Yes but you will have to assign a new account or whatever account the service requires.


    \_(ツ)_/

    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:54 PM
    Sunday, April 2, 2017 6:12 PM
  • So in other words jrv, not only I have to go to each machine and change each service that is using the Group Managed Service Account to Local Service Account but I have to ensure that another Group Managed Service Account is created before deleting the initial one, have I understood you correctly?

    Kind regards,

    RocknRollTim


    Sunday, April 2, 2017 7:35 PM
  • Sorry but I don't understand your issue.


    \_(ツ)_/

    Sunday, April 2, 2017 9:23 PM
  • Hi jrv,

    One time when I removed a Group Managed Service Account from Active Directory Computers and Users it caused Active Directory Administrative Center to stop working whereas another time when I used remove-adserviceaccount -identity gmsatest in PowerShell it stopped my custom Group Policies in Group Policy Management to become uneditable, so really I want to know whether there is a safe way of removing Group Policy Managed Service Accounts. Luckily I have been doing this through a simulation and not a live network otherwise major headaches.

    Regards,

    RocknRollTim


    Sunday, April 2, 2017 10:02 PM
  • Did you try to make AD run under a service account?  There is no reason for this so it may be you have a corrupted profile, account or system.

    I cannot help you with this. Perhaps someone else has seen such weird behavior.


    \_(ツ)_/

    Sunday, April 2, 2017 10:05 PM
  • Hi jrv,

    I haven't changed the Log On As account properties for Active Directory services under Services which they're still defaulting to Local System, I'll continue to investigate the cause of these issues.

    Lastly I would like to say thank you for all your help and if anyone else knows whats causing these issues please come forward, thank you.

    Kind regards,

    RocknRollTim

    Sunday, April 2, 2017 10:53 PM
  • Thank you R&RTim,  I am glad I could shed some light on your issues.  The last issue is more difficult for me to assess because it is very unusual.

    Yes - try to gather more information and post it.  My suspicion is that this may be an odd bug in the server manager software that can be ignored if you are not trying to add a domain group.

    Maybe someone else here can shed more light on this.

    Good luck.


    \_(ツ)_/

    Sunday, April 2, 2017 11:00 PM
  • Thinking about this I came up with the following:

    If you make a machine account a service account you are fundamentally changing the way that account works in the domain.  If you make a DC a machine account a service account you are fundamentally changing the role of the DC host in the domain.  I don't think Microsoft ever assumed anyone would try to do this.  What you are trying to do does not make any practical sense and may do damage to the domain.

    Why would you want to make a machine account a service account?  What can this accomplish.  A machine account is already a special account that manages its own password and has certain security protections applied.  Making it a service account clearly conflicts with the machines role and behavior.


    \_(ツ)_/

    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:55 PM
    Sunday, April 2, 2017 11:45 PM
  • Hi jrv,

    Correct me if I'm wrong, so what are you really saying is that I should be either creating a user account in Active Directory on the DC with restricting local and terminal access to it using Group Policy as well as assigning it to the relevant users and groups and using it for services under each machine by amending the Log On As properties, or creating a Managed Service Account through PowerShell on the DC and assigning it for services under each machine by amending the Log On As properties? Surely this wouldn't be good practice due to the fact that the password has to be specified and reviewed every so often so it complies with security compliance checks plus I read up that Managed Service Accounts can only be used local on the machine where they were initially created i.e. do not scale in which Group Managed Service Accounts were introduced to replace these issues hence why I am using a Group Managed Service Account. I am only really using Group Managed Service Accounts to maintain good security practices as they are intended to be used for only running services on machines. Are you saying I should use either the Domain Administrator account or a user account with sufficient network administrator/local administrator privileges to assign to the Log On As properties of each service on each machine? Your continual support would be much appreciated.

    Kind regards,

    RocknRollTim
    Monday, April 3, 2017 7:24 AM
    • Marked as answer by RocknRollTim Thursday, April 20, 2017 12:56 PM
    Sunday, April 16, 2017 4:43 PM