Why does Powershell Get-Object error when querying a MSA/gMSA?

Tony Auby 20 Reputation points
2023-03-25T12:08:21.6566667+00:00

Using Powershell, why does Get-ADObject not return gMSAs? ADUC lists them as 'computer' objects, but Get-ADComputer also will not return them. Get-ADGroup and Get-ADGroupMember will both show them as members. But you'd have to already know what they are ahead of time to identify them in a script, and say, retrieve their properties. You must use Get-ADService Account to retrieve their properties.

I am extracting members of a specific group, which may contain users, nested groups, Foreign Security Principals, or gMSAs. I use Get-ADObject on each member to identify what 'type' of object they are, then take different actions depending on which. I'm using Windows 2016 and PS v5.1.

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,508 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Erkan Sahin 830 Reputation points
    2023-03-25T12:30:14.4866667+00:00

    The reason that Get-ADObject and Get-ADComputer do not return gMSAs is because gMSAs (Group Managed Service Accounts) are not traditional user or computer accounts. They are a type of service account specifically designed for applications running on multiple servers, and are managed by Active Directory rather than individual servers.

    To retrieve information about gMSAs, you can use the Get-ADServiceAccount cmdlet. This cmdlet is specifically designed to work with gMSAs, and can be used to retrieve information such as the account name, description, and group memberships.

    In your scenario, you could modify your script to first use Get-ADObject to retrieve the type of each member, and then use the appropriate cmdlet (e.g. Get-ADUser, Get-ADGroup, Get-ADServiceAccount, etc.) to retrieve the properties for that specific type of object. This way, you can handle all types of objects within the same script.

    Please mark as helpful answer if it helps you :-)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.