Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
en:it-security:gmsa [2024/01/16 13:39] psycoreen:it-security:gmsa [2024/02/05 08:30] (current) – old revision restored (2024/02/04 23:24) psycore
Line 43: Line 43:
 The RSAT tools may need to be activated. Statement from Microsoft on this: The RSAT tools may need to be activated. Statement from Microsoft on this:
  
-> As of the Windows 10 October 2018 Update, RSAT is included as a collection of features on demand in Windows 10 itself. Instead of downloading an RSAT package, you can now simply navigate to Manage optional features under Settings and click Add feature to see the list of available RSAT tools. Select the desired RSAT tools and install them. To view the installation progress, click the Back button to view the status on the Manage Optional Features page.+> As of the October 2018 Windows 10 update, RSAT is included as a collection of features on demand in Windows 10 itself. Instead of downloading an RSAT package, you can now simply navigate to Manage optional features under Settings and click Add feature to see the list of available RSAT tools. Select the desired RSAT tools and install them. To view the installation progress, click the Back button to view the status on the Manage Optional Features page.
 <sup>[[https://learn.microsoft.com/de-de/windows-server/remote/remote-server-administration-tools]]</sup> <sup>[[https://learn.microsoft.com/de-de/windows-server/remote/remote-server-administration-tools]]</sup>
  
-If the Powershell is still open, you can also start the installation with this command: +If the RSAT tools are activated, the ActiveDirectory module must be imported:
- +
-<code powershell> +
-Install-WindowsFeature -IncludeAllSubFeature RSAT +
-</code> +
- +
-After the installationa restart may be required and the ActiveDirectory module must be imported into PowerShell:+
  
 <code powershell> <code powershell>
Line 60: Line 54:
 ===== Authorisations ===== ===== Authorisations =====
  
-The authorisations can now be assigned as required. Either by assigning a security group in AD or as a local administrator on the target system. Authorisation concepts should only ever contain the authorisations that are really necessary.+The authorisations can now be assigned as required. Either by assigning a security group in ADor as a local administrator on the target system.
  
 ===== Services ===== ===== Services =====
  
-Services can now be started in this user context. To do this, simply open the service console and navigate to the properties of the service:+Services can now be provided with this user. To do this, simply open the service console and open the properties of the corresponding service:
  
   * ''Log in'' Open tab   * ''Log in'' Open tab
Line 82: Line 76:
 </code> </code>
  
-The account may need to be granted the right to log in as a batch processing task:+It may be necessary to grant the account the right to log in as a batch processing task:
  
 {{it-security:screenshot_2023-11-30_154419.png?600|}} {{it-security:screenshot_2023-11-30_154419.png?600|}}
 +
 +===== Change authorisations =====
 +
 +==== Services ====
 +
 +**PowerShell 7 is required**
 +
 +<code powershell>
 +PS C:\Users\PSY> $creds = Get-Credential
 +
 +PowerShell credential request
 +Enter your credentials.
 +User: DOMAIN\PSY
 +Password for user DOMAIN\PSY: *****************
 +
 +PS C:\Users\PSY> Set-Service -name "Service" -Credential $creds
 +</code>
 +
 +===== Delete gMSA account =====
 +
 +When deleting a gMSA account, it is important that the assignments and authorisations are also removed. To do this, proceed as follows:
 +
 +  * Check host assignment
 +  * Cancel assignment
 +  * Check group membership
 +  * Delete group membership
 +  * Delete gMSA account from AD
 +
 +==== Check host assignment ====
 +
 +<code powershell>
 +Get-ADServiceAccount -Identity <ACCOUNTNAME> -Properties PrincipalsAllowedToRetrieveManagedPassword
 +</code>
 +
 +==== Cancel assignment ====
 +
 +<code powershell>
 +Set-ADServiceAccount <ACCOUNTNAME> -PrincipalsAllowedToRetrieveManagedPassword $NULL -PassThru
 +Test-ADServiceAccount <ACCOUNTNAME>$
 +</code>
 +
 +==== Check group membership ====
 +
 +<code powershell>
 +$ADGroup = (Get-ADServiceAccount -Identity <ACCOUNTNAME>$ -Properties MemberOf).MemberOf
 +$ADGroup | Get-ADGroup | Select-Object Name
 +</code>
 +
 +==== Delete group membership ====
 +
 +<code powershell>
 +Remove-ADPrincipalGroupMembership <ACCOUNTNAME>$ -MemberOf $ADGroup
 +</code>
 +
 +==== Delete gMSA account from AD ====
 +
 +<code powershell>
 +Remove-ADServiceAccount -Identity <ACCOUNTNAME>
 +Get-ADServiceAccount -Identity <ACCOUNTNAME>
 +</code>
  
 ---- ----
Line 90: Line 144:
  
   * [[https://www.frankysweb.de/group-managed-service-accounts-gmsa-fuer-tasks-und-dienste/]]   * [[https://www.frankysweb.de/group-managed-service-accounts-gmsa-fuer-tasks-und-dienste/]]
 +  * [[https://www.der-windows-papst.de/2022/03/11/uninstall-group-managed-service-account/]]