• Uncategorized
  • 0

Group Managed Service Account for Azure AD Connect

Have you seen that AADConnect supports gMSA, also known as Group Managed Service Account?

It’s so easy to get this going so I want to show you how to set this up.

If you don’t have any gMSA’s in your Active Directory then you need to create the Key Distribution Services KDS Root Key first:

Add-KdsRootKey –EffectiveImmediately

Note that you have to wait for the Active Directory replication to finish before you can use gMSA’s on other domain controllers.

In an test environment you can run this PowerShell one-liner:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

Technet-link to KDS Root Key: https://technet.microsoft.com/en-us/library/jj128430(v=ws.11).aspx

Now, how do we create this account that changes it owns password and we can simply forget about the account?

PowerShell One-Liner:

New-ADServiceAccount –Name <service account name> -Path "CN=Managed Service Accounts,DC=<domain>,DC=<extension>" –DNSHostName <FQDN Azure AD Connect server> –PrincipalsAllowedToRetrieveManagedPassword <Azure AD Connect server>$


New-ADServiceAccount –Name gmsaAADConnect -Path "CN=Managed Service Accounts,DC=thoorlab,DC=tech" –DNSHostName DC01.thoorlab.tech –PrincipalsAllowedToRetrieveManagedPassword DC01$

Then in the AADConnect wizard, choose Customize Settings, and then choose “Use an existing service account”. Specify the service account in the format “domain\serviceaccountname$”.

If you want to use this gMSA on another server you must first install the Active Directory PowerShell Module on the target server. Then, with domain admin permissions, run the following PowerShell commands:

Install-WindowsFeature RSAT-ADDS -Verbose
$ADServiceAccount = Get-ADServiceAccount -Filter { Name -eq '<name of service account>'}
$ADServiceAccount | Set-ADServiceAccount -PrincipalsAllowedToRetrieveManagedPassword <name of server>$,<name of server>$
Install-ADServiceAccount $ADServiceAccount

If you run the Set-ADServiceAccount and only specify the new server, you will override the old server that had the permission to read the password. Simply run Get-ADServiceAccount with the property PrincipalsAllowedToRetrieveManagedPassword before you run the Set-ADServiceAccount to get the server or servers that have permissions right now. Then specify multiple servers by separating them with comma.

Get-ADServiceAccount -Identity <name of service account>$ -Properties PrincipalsAllowedToRetrieveManagedPassword



You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: