Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #1 
When I create a Group Managed Service Account (gMSA) I use a group (could also be a list of servers) for the "PrincipalsAllowedToRetrieveManagedPassword" :

New-ADServiceAccount -Name "gMSA-account" -DNSHostName "gMSA-account.domain.com" -PrincipalsAllowedToRetrieveManagedPassword "GroupToUseTheGMSA"


And I also add the gMSA to several domain groups (e.g. DOMAIN\App1_Admins, DOMAIN\App1_Admins) to give acces to resources.

Two questions :
1. How can I afterwards retrieve the group (or list of servers) that can use the gMSA (ex. GroupToUseTheGMSA) ?
2. How can I retrieve the list of groups the account is member of (ex. App1_Admins and App2_Admins) ?  There is no MemberOf-attribute for a gMSA account.


__________________
Pieter Demeulemeester
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #2 
I guess I found it :

Get-ADServiceAccount -Identity "gMSA-account" -Properties PrincipalsAllowedToRetrieveManagedPassword
Get-ADServiceAccount -Identity "gMSA-account" -Properties Memberof

Somethings things are so easy that you can't find them.

__________________
Pieter Demeulemeester
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #3 
Or even better :

$gMSA=Get-ADServiceAccount -Identity "gMSA-account" -Properties *
$gMSA.memberof
$gMSA.PrincipalsAllowedToRetrieveManagedPassword

__________________
Pieter Demeulemeester
0
JasonH

Avatar / Picture

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #4 
A couple other options: 
Code:

(Get-ADServiceAccount -Identity gmsaName -prop *).memberof
(Get-ADServiceAccount -Identity gmsaName -prop *).principalsallowedtoretrievemanagedpassword


I've been moving a number of our scheduled tasks away from a standard service account to a gMSA this month. I encountered an interesting situation with scheduled tasks with triggers that use a "repeat task every..." option. My notes on it in hopes it may save just one person some head-scratching:

Scheduled task triggers that use a “repeat task every” option or the “stop the task if it runs longer than” option do not appear to work with gMSAs on Server 2012 R2 and will generate the error “the system cannot find the file specified (0x80070002)” in task scheduler.
The only way I’ve been able to make a “repeat task every” trigger is to create it with a “one time” trigger with a “repeat task every” option. That is to say, you cannot use a “daily”, “weekly” or “monthly” trigger with the “repeat task every” option or the “stop the task if it runs longer than” option.  This does not appear to be a problem on Server 2016.
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #5 
Thanks for the info, Jason.
__________________
Pieter Demeulemeester
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.