How to Use Group Managed Service Accounts
How to Use Group Managed Service Accounts
Purpose
Provide instructions for using Group Managed Service Accounts (gMSA) on specified computers.
Scope
This guide details the steps to configure and use gMSAs on designated computers, including necessary PowerShell commands and service/scheduled task configurations.
Responsibilities
- System Administrators: Execute the steps to configure and manage gMSAs, and ensure proper setup and maintenance of gMSAs on relevant systems.
NOTE: COMPUTERNAME = The name of the Computer that you want to run the gMSA on.
- Open Elevated Powershell
- Enter “Import-Module ActiveDirectory”
- Enter “Add-ADGroupMember “gMSA_Group” –members COMPUTERNAME$”
- Enter “Get-ADGroupMember “gMSA_Group”” | Select-Object name NOTE: Record all the PCs in the group as you will need that information below.
- Appended the PCs in gMSA_Group to the command below. At the time of writing (5/23), the command below is accurate.
- MVTA-AP07
MVTA-AP08
MVTA-CSM
MVTA-DB
MVTA-FTP
MVTA-AP05
MVTA-AP01
MVTA-MGMT
MVTA-SCCM
MVTA-APC
MVTA-UTA
- Enter Set-ADServiceAccount -Identity gMSAcct01 -PrincipalsAllowedToRetrieveManagedPassword COMPUTERNAME$, COMPUTERNAME$
- Log on to COMPUTERNAME and open Powershell as Admin
- Type ""Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature"" to install AD module for Powershell
- Type “Import-Module ActiveDirectory”
- Type “Install-ADServiceAccount gMSAcct01”
- Type “Test-ADServiceAccount gMSAcct01” NOTE: This command should return “True”
To use it with a Service:
- Open Services and set service to log with account “MVTADOMAIN\gMSAcct01$”
NOTE: You do not have to enter a password.
To use it with a Scheduled Task:
- Create the Task and set the settings
- Use your login information to save the new task
- Open CMD as Admin
- Use the following command to switch it to run with the gMSAcct01 account
- “SCHTASKS /Change /RU "mvtadomain\gMSAcct01$" /TN "TASKNAME" /RL HIGHEST”
- Press Enter at Password Warning