{"id":7112,"date":"2023-06-22T05:37:58","date_gmt":"2023-06-22T05:37:58","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7112"},"modified":"2024-06-13T10:17:40","modified_gmt":"2024-06-13T10:17:40","slug":"managed-services-accounts","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/managed-services-accounts","title":{"rendered":"Group \\ Managed Services Accounts"},"content":{"rendered":"\n<p>Defender for Identity Click here <a href=\"https:\/\/learn.microsoft.com\/en-US\/defender-for-identity\/directory-service-accounts\">https:\/\/learn.microsoft.com\/en-US\/defender-for-identity\/directory-service-accounts<\/a><\/p>\n\n\n\n<p><strong>Check KDS key:<\/strong> if the KDS key is not available then we need to create one. Note that a 10 hours is required to be effective of a KDS key.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">&nbsp;&nbsp; &nbsp;Add-KdsRootKey&nbsp;-EffectiveTime&nbsp;((get-date).addhours(-10))&nbsp;<\/code><\/pre>\n\n\n\n<p><strong>There are two types of Managed Service Account (MSA):<\/strong><\/p>\n\n\n\n<p>1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<strong><em>gMSA (Group Managed Service Account):<\/em>\u00a0<\/strong>This type of managed service account (MSA) was introduced in Windows Server 2012 R2. The gMSA can be used multiple times. Failover clusters do not support gMSA. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">New-ADServiceAccount -Name \"MygMSA\" -DNSHostName \"mygMSA.domain.com\" -PrincipalsAllowedToRetrieveManagedPassword \"PL-MSA-Tasks\" -Path \"OU=MyOU,DC=domain,DC=com\"<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Get Info on gMSA<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">Get-ADServiceAccount -Filter \"Name -eq 'NewSmsa'\" -Properties *<\/code><\/pre>\n\n\n\n<p><strong>Managed service account (MSA) or, more precisely, standalone managed service account (sMSA)<\/strong> <strong>OLD<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">Add-ADComputerServiceAccount -Identity CRMEUAT03 -ServiceAccount \"CRMUATSERVICE\"<\/code><\/pre>\n\n\n\n<p><strong>Install<\/strong> <strong>standalone managed service account (sMSA)<\/strong><\/p>\n\n\n\n<p>Installs an existing Active Directory managed service account on the computer on which the cmdlet is run<\/p>\n\n\n\n<p>To use MSA \/ gMSA service accounts on target servers or workstations, you first need to install the Active Directory PowerShell module:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\"><code>Add-WindowsFeature RSAT-AD-PowerShell<\/code><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Task Scheduler<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-cyber-gladius wp-block-embed-cyber-gladius\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/cybergladius.com\/secure-windows-scheduled-tasks-with-managed-service-accounts\n<\/div><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/cybergladius.com\/secure-windows-scheduled-tasks-with-managed-service-accounts\/\">https:\/\/cybergladius.com\/secure-windows-scheduled-tasks-with-managed-service-accounts\/<\/a><\/figcaption><\/figure>\n\n\n\n<p><strong>Run via PSEXEC<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PSExec -i -u DOMAIN\\gMSA-Account$ -p ~ cmd.exe\n\n\nPrincipalsAllowedToRetrieveManagedPassword : this gives me the security group that contain the servers allowed to use this gMSA. This is correct.\n\nHostComputers : This should give me the computers that have the gMSA installed (i think) and this is empty. I would expect to see my server name in here\n\n\n<strong>Install-ADServiceAccount fail with unspecified error creating gMSA\n<\/strong>\nYou have not set this -PrincipalsAllowedToRetrieveManagedPassword\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Defender for Identity Click here https:\/\/learn.microsoft.com\/en-US\/defender-for-identity\/directory-service-accounts Check KDS key: if the KDS key is not available then we need to create one. Note that a 10 hours [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7112","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=7112"}],"version-history":[{"count":15,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7112\/revisions"}],"predecessor-version":[{"id":8001,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7112\/revisions\/8001"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=7112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=7112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=7112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}