What are the steps and procedure to use gMSA as the Windows Server Service Account?

Question

What are the steps and procedure to use gMSA as the Windows Server Service Account?

EnterpriseArchitect 6,061

After creating the gMSA using the below PowerShell, how can I successfully replace the services in all of my Windows Server Application servers?

New-ADServiceAccount -Name New-gMSA -DNSHostName Mydomain.com -PrincipalsAllowedToRetrieveManagedPassword "AppServer-AD-SecGrpName"

Thank you for your help and suggestions.

Accepted answer

0 additional answers

Your answer

Answer 1

Marcin Policht 51,055 MVP Volunteer Moderator

Ensure the gMSA is Active on All Target Servers:
- On each application server, install the AD PowerShell module and run:
```
     
     Test-ADServiceAccount -Identity "New-gMSA"
```
- If the result is True, the server can retrieve and use the gMSA.

Grant Permissions to Use the gMSA:

Ensure the service has the correct permissions. On the server, run:

     
     Add-ADComputerServiceAccount -Identity <AppServerName> -ServiceAccount "New-gMSA"

Stop the Service to Update Credentials:
- On each server, stop the service that needs to use the gMSA:
```
     
     Stop-Service -Name "<ServiceName>"
```
Update the Service to Use the gMSA:
- Use the following command to update the service credentials:
```
     
     $serviceName = "<ServiceName>"
```

$gMSA = "New-gMSA$" # Add $ to indicate gMSA Set-Service -Name $serviceName -StartupType Automatic sc.exe config $serviceName obj= $gMSA password= "" ```

Grant Logon as a Service Right:
- Use Group Policy or manually grant the gMSA "Log on as a Service" permission. You can set this locally:
```
     
     ntrights -u "New-gMSA" +r SeServiceLogonRight
```
Start the Service with gMSA:
- Start the service with the new credentials:
```
     
     Start-Service -Name "<ServiceName>"
```
Verify the Service is Running Properly:
- Check that the service is running without issues:
```
     
     Get-Service -Name "<ServiceName>"
```

Automating for Multiple Servers and Services

You can automate the steps using PowerShell remoting across multiple servers. Here’s a sample script for multiple servers:

$servers = @("AppServer1", "AppServer2", "AppServer3")
$serviceName = "<ServiceName>"

foreach ($server in $servers) {
    Invoke-Command -ComputerName $server -ScriptBlock {
        Stop-Service -Name $using:serviceName
        sc.exe config $using:serviceName obj= "New-gMSA$" password= ""
        Start-Service -Name $using:serviceName
    }
}

Important Considerations

Restart Servers: Some services may require a server reboot to correctly apply the gMSA.
Firewall & Policy Configs: Ensure no group policies or firewalls block the new service account from accessing necessary resources.
Testing: Always test in a staging environment before rolling out changes in production.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

EnterpriseArchitect 6,061 Reputation points

2024-10-15T13:31:48.69+00:00

@Marcin Policht ,
Thank you, do I must install the PowerShell module on my laptop to execute the above script you've suggested?
Marcin Policht 51,055 Reputation points MVP Volunteer Moderator

2024-10-15T15:43:46.3833333+00:00

Yes - you'd need to install the AD PowerShell module

More at https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
EnterpriseArchitect 6,061 Reputation points

2024-10-16T01:43:36.3+00:00

@Marcin Policht ,
Do I need to install the PowerShell module https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps in all of the servers above "AppServer1", "AppServer2", "AppServer3" or just one in my laptop only?
EnterpriseArchitect 6,061 Reputation points

2024-10-16T01:59:59.2233333+00:00

@Marcin Policht

There is no command above.
Marcin Policht 51,055 Reputation points MVP Volunteer Moderator

2024-10-16T13:08:59.0366667+00:00
As stated earlier, "On each application server, install the AD PowerShell module"

If you don't have access to ntrights (it used to be available for download form Microsoft Downloads) - then use the following:

# Create an INF file to define the policy change $infPath = "$env:temp\grant_logon_as_service.inf" Add-Content -Path $infPath -Value @" [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Privilege Rights] SeServiceLogonRight = New-gMSA "@ # Apply the INF policy secedit /configure /db secedit.sdb /cfg $infPath /areas USER_RIGHTS

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

EnterpriseArchitect 6,061

@Marcin Policht ,
I cannot find where to download the NTRights file.

Can I also use this:

function Add-ServiceLogonRight([string] $Username) {
    Write-Host "Enable ServiceLogonRight for $Username"

    $tmp = New-TemporaryFile
    secedit /export /cfg "$tmp.inf" | Out-Null
    (gc -Encoding ascii "$tmp.inf") -replace '^SeServiceLogonRight .+', "`$0,$Username" | sc -Encoding ascii "$tmp.inf"
    secedit /import /cfg "$tmp.inf" /db "$tmp.sdb" | Out-Null
    secedit /configure /db "$tmp.sdb" /cfg "$tmp.inf" | Out-Null
    rm $tmp* -ea 0
}

Marcin Policht 51,055 Reputation points MVP Volunteer Moderator

2024-10-16T14:18:01.6966667+00:00

Refer to my previous response

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

EnterpriseArchitect 6,061

@Marcin Policht ,

Do I need to specify the gMSA name with $ sign like below ?

# Create an INF file to define the policy change
$infPath = "$env:temp\grant_logon_as_service.inf"
Add-Content -Path $infPath -Value @"
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeServiceLogonRight = New-gMSA$
"@
# Apply the INF policy
secedit /configure /db secedit.sdb /cfg $infPath /areas USER_RIGHTS

and then delete the .INF file after the command completion?

Marcin Policht 51,055 Reputation points MVP Volunteer Moderator

2024-10-17T11:43:27.6033333+00:00

Confirmed

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Alex Turff 5 Reputation points

2025-05-20T09:24:08.2+00:00

Step 4 has a malformed code block.

for step 2 you are linking it to the server not a specific service? once you do that any service on the server can just use it?

Is step 2 the same as adding the computer to the account's access group, or is it doing something else?

(commenting as this is a top result on google for gmsa account setup)

Share via

What are the steps and procedure to use gMSA as the Windows Server Service Account?

0 additional answers

Your answer