Install-ADServiceaccount does not work with Security-Groups

Ludwig 1 Reputation point
2021-11-19T11:03:36.263+00:00

Hi,

i have the following problem:

When I want to Install my gmsa with "PrincipalsAllowedToRetrieveManagedPassword" assigned to a Security-Group:

Install-ADServiceAccount gmsa_test

i got the following message:

Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.

and:

WARNING: Test failed for Managed Service Account gmsa_test. If standalone Managed Service Account, the account is
linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does
not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required
for the gMSA. See the MSA operational log for more information.

In the Event-Viewer, I got the following:

Netlogon failed to add gmsa_test as a managed service account to this local machine. {Access Denied}
A process has requested access to an object, but has not been granted those access rights.

If my gmsa_test is directly assigned with -PrincipalsAllowedToRetrieveManagedPassword "Server1$" to the server, it works well.

any ideas?

Thanks!

BR
Ludwig

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,745 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,684 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,196 Reputation points
    2021-11-22T08:48:58.983+00:00

    Hi there,

    It is possible that you didn't correctly allowed the local computer account on which you are trying to install the AD group managed service account (gMSA) to obtain its plaint-text password. It means you didn't specify the machine account in the list of -PrincipalsAllowedToRetrieveManagedPassword parameter values of the New-ADServiceAccount or the Set-ADServiceAccount.

    Without being able to retrieve the password, the servers which need to log on the group managed service account would not be able know its password and log the account on.


    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. Ludwig 1 Reputation point
    2021-11-22T10:29:56.88+00:00

    Hi,

    its solved by herserlf.
    I didn't pay attention to the kerberos thing. Of course, after 10 hours the computer requested a new kerberos ticket and then registered its group membership. Since the computer is used in prod, I could not restart it either.... That would have solved the problem as well.
    But thanks for the answers.

    BR

    0 comments No comments