{{tag>english startpage it-security windows active-directory}}
====== Group Managed Service Accounts ======
===== Security information =====
This tutorial only shows the general procedure. Depending on the company structure, an appropriate authorisation concept must be planned in advance. Important questions that should be clarified in advance:
* How should authorisations be assigned (group authorisations, individual authorisations)?
* How do we structure our gMSA accounts (per server, per service, etc.)?
===== Preparations =====
Create root key on the DC:
Add-KdsRootKey -EffectiveImmediately
Then wait 10 hours to ensure that the replication is complete.
===== gMSA account =====
==== Create ====
On the DC:
New-ADServiceAccount -Name -DNSHostName .. -PrincipalsAllowedToRetrieveManagedPassword $
==== test ====
On the target system:
Test-ADServiceAccount
If successful, the console reports ''True''
=== For errors on the target system ===
The RSAT tools may need to be activated. Statement from Microsoft on this:
> As of the October 2018 Windows 10 update, RSAT is included as a collection of features on demand in Windows 10 itself. Instead of downloading an RSAT package, you can now simply navigate to Manage optional features under Settings and click Add feature to see the list of available RSAT tools. Select the desired RSAT tools and install them. To view the installation progress, click the Back button to view the status on the Manage Optional Features page.
[[https://learn.microsoft.com/de-de/windows-server/remote/remote-server-administration-tools]]
If the RSAT tools are activated, the ActiveDirectory module must be imported:
import-module ActiveDirectory
===== Authorisations =====
The authorisations can now be assigned as required. Either by assigning a security group in AD, or as a local administrator on the target system.
===== Services =====
Services can now be provided with this user. To do this, simply open the service console and open the properties of the corresponding service:
* ''Log in'' Open tab
* Select ''This account''
* '''' from the domain
* ''Password'' Empty fields
* Confirm dialogue
{{it-security:screenshot_2023-11-30_154322.png?600|}}
===== Task planning =====
To execute a task in the context of the gMSA account, this task must be customised using the command line
schtasks /Change /TN "" /RU ".\$" /RP ""
It may be necessary to grant the account the right to log in as a batch processing task:
{{it-security:screenshot_2023-11-30_154419.png?600|}}
===== Change authorisations =====
==== Services ====
**PowerShell 7 is required**
PS C:\Users\PSY> $creds = Get-Credential
PowerShell credential request
Enter your credentials.
User: DOMAIN\PSY
Password for user DOMAIN\PSY: *****************
PS C:\Users\PSY> Set-Service -name "Service" -Credential $creds
===== Delete gMSA account =====
When deleting a gMSA account, it is important that the assignments and authorisations are also removed. To do this, proceed as follows:
* Check host assignment
* Cancel assignment
* Check group membership
* Delete group membership
* Delete gMSA account from AD
==== Check host assignment ====
Get-ADServiceAccount -Identity -Properties PrincipalsAllowedToRetrieveManagedPassword
==== Cancel assignment ====
Set-ADServiceAccount -PrincipalsAllowedToRetrieveManagedPassword $NULL -PassThru
Test-ADServiceAccount $
==== Check group membership ====
$ADGroup = (Get-ADServiceAccount -Identity $ -Properties MemberOf).MemberOf
$ADGroup | Get-ADGroup | Select-Object Name
==== Delete group membership ====
Remove-ADPrincipalGroupMembership $ -MemberOf $ADGroup
==== Delete gMSA account from AD ====
Remove-ADServiceAccount -Identity
Get-ADServiceAccount -Identity
----
Sources:
* [[https://www.frankysweb.de/group-managed-service-accounts-gmsa-fuer-tasks-und-dienste/]]
* [[https://www.der-windows-papst.de/2022/03/11/uninstall-group-managed-service-account/]]