Group \ Managed Services Accounts

Defender for Identity Click here https://learn.microsoft.com/en-US/defender-for-identity/directory-service-accounts

Check KDS key: if the KDS key is not available then we need to create one. Note that a 10 hours is required to be effective of a KDS key.

    Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) 

There are two types of Managed Service Account (MSA):

1.     sMSA (Standalone Manage Service Account): This type of managed service account (MSA) was introduced in Windows Server 2008 R2 and Windows 7. A sMSA can be used to a single Windows Server.

# Create a new sMSA account with PowerShell
New-ADServiceAccount -SamAccountName "NewSmsa" -Name "NewSmsa" -DNSHostname NewSmsa.domain.local -Description "My new sMSA" -RestrictToSingleComputer -Server $(Get-ADDomainController) -Enabled $true -Path "CN=Managed Service Accounts,DC=ewon,DC=com,DC=au" -PrincipalsAllowedToRetrieveManagedPassword ServerNameEndingInDollar$

2.      gMSA (Group Managed Service Account): This type of managed service account (MSA) was introduced in Windows Server 2012 R2. The gMSA can be used multiple times. Failover clusters do not support gMSA. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.

# Create a new sMSA account with PowerShell
New-ADServiceAccount -SamAccountName "NewGmsa" -Name "NewGmsa" -DNSHostname NewSmsa.domain.local -Description "My new sMSA" -Server $(Get-ADDomainController) -Enabled $true -PrincipalsAllowedToRetrieveManagedPassword ServerNameEndingInDollar$ -Path "CN=Managed Service Accounts,DC=ewon,DC=com,DC=au"

Assign

# Create a object variable with the Computer/Server we intend to use the new sMSA account on.
$ServerIdentity = Get-ADComputer -identity "Server01"

# Create a object variable with the new sMSA we just created.
$MsaIdentity    = Get-ADServiceAccount -Filter "Name -eq 'NewSmsa'" -Properties *

# Assign the new sMSA account to the one Computer/Server we needed it on.
Add-ADComputerServiceAccount -Identity $ServerIdentity -ServiceAccount $MsaIdentity.sAMAccountName

Install

Installs an existing Active Directory managed service account on the computer on which the cmdlet is run

To use MSA / gMSA service accounts on target servers or workstations, you first need to install the Active Directory PowerShell module:

Add-WindowsFeature RSAT-AD-PowerShell
# Installs an existing AD sMSA on the computer on which the cmdlet is run.
Install-ADServiceAccount -Identity NewSmsa

# Test that this computer can retrieve the sMSA account password from AD
Test-ADServiceAccount -Identity NewSmsa

Get Info on gMSA

Get-ADServiceAccount -Filter "Name -eq 'NewSmsa'" -Properties *

Task Scheduler

https://cybergladius.com/secure-windows-scheduled-tasks-with-managed-service-accounts/
https://cybergladius.com/secure-windows-scheduled-tasks-with-managed-service-accounts/

Run via PSEXEC

PSExec -i -u DOMAIN\gMSA-Account$ -p ~ cmd.exe


PrincipalsAllowedToRetrieveManagedPassword : this gives me the security group that contain the servers allowed to use this gMSA. This is correct.

HostComputers : This should give me the computers that have the gMSA installed (i think) and this is empty. I would expect to see my server name in here


Install-ADServiceAccount fail with unspecified error creating gMSA

You have not set this -PrincipalsAllowedToRetrieveManagedPassword
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely