Defender for Identity Click here https://learn.microsoft.com/en-US/defender-for-identity/directory-service-accounts
Check KDS key: if the KDS key is not available then we need to create one. Note that a 10 hours is required to be effective of a KDS key.
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) There are two types of Managed Service Account (MSA):
1. gMSA (Group Managed Service Account): This type of managed service account (MSA) was introduced in Windows Server 2012 R2. The gMSA can be used multiple times. Failover clusters do not support gMSA. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.
New-ADServiceAccount -Name "MygMSA" -DNSHostName "mygMSA.domain.com" -PrincipalsAllowedToRetrieveManagedPassword "PL-MSA-Tasks" -Path "OU=MyOU,DC=domain,DC=com"Get Info on gMSA
Get-ADServiceAccount -Filter "Name -eq 'NewSmsa'" -Properties *Managed service account (MSA) or, more precisely, standalone managed service account (sMSA) OLD
Add-ADComputerServiceAccount -Identity CRMEUAT03 -ServiceAccount "CRMUATSERVICE"Install standalone managed service account (sMSA)
Installs an existing Active Directory managed service account on the computer on which the cmdlet is run
To use MSA / gMSA service accounts on target servers or workstations, you first need to install the Active Directory PowerShell module:
Add-WindowsFeature RSAT-AD-PowerShellTask Scheduler
Run via PSEXEC
PSExec -i -u DOMAIN\gMSA-Account$ -p ~ cmd.exe PrincipalsAllowedToRetrieveManagedPassword : this gives me the security group that contain the servers allowed to use this gMSA. This is correct. HostComputers : This should give me the computers that have the gMSA installed (i think) and this is empty. I would expect to see my server name in here Install-ADServiceAccount fail with unspecified error creating gMSA You have not set this -PrincipalsAllowedToRetrieveManagedPassword
Loading...