PowerShell: Creating Active Directory Managed Service Accounts

Hey folks,

I’ve recently been trying to learn more about Active Directory Managed Service Accounts (MSAs), which are basically self-managing service accounts. You don’t have to manage the Service Principal Name (SPN) or password for MSAs, which makes them very good choices for running applications. You can read more about MSAs on Microsoft Technet at this URL.

Similar to MSAs are local “virtual accounts.” These do not have password to manage, and they can automatically manage their SPNs. These are not within the scope of discussion, however there are some links in the References section, which might help you to get more information about them.

Creating a Group Managed Service Account with PowerShell

I’ve been trying to create a MSA using PowerShell using the command below, but I kept getting an error. There is a Technet discussion forum post that addresses this same issue. In my scenario, I was running the command on a Windows Server 2012 domain controller.

PS C:\Users\Administrator> New-ADServiceAccount -Name ServiceManager -DNSHostName dc01;
New-ADServiceAccount : Key does not exist
At line:1 char:1
+ New-ADServiceAccount -Name ServiceManager -DNSHostName dc01;
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=ServiceManag...DC=mybiz,DC=loc:String) [New-ADServiceAccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:-2146893811,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

As it turns out, there is a new service in Windows Server 2012 called the Key Distribution Service (KDS), which is implemented in kdssvc.dll. This service is required in order to create and use Group Managed Service Accounts (MSAs), which are a new concept to Windows Server 2012. Windows Server 2008 R2 introduced the concept of a stand-alone MSA, which could only apply to one service at a time. In order to support the creation of these new group MSAs, we will need to add a new KDS “root key.” If you’re working in a lab / test environment, and have only a handful of domain controllers, then you can use the command shown below to create the root key.

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));

After running this command, you should be able to re-run the New-ADServiceAccount cmdlet successfully (see screenshot below). If you are running your Active Directory forest at the Windows Server 2012 functional level, then you will have created a Group Managed Service Account (gMSA).

Installing the Group Managed Service Account (gMSA) with PowerShell

Next, we need to install the gMSA onto the server that we want to use it on. We can use the Install-ADServiceAccount PowerShell cmdlet to do that. But first things first, we need to ensure that the server we are going to install it on has permission to retrieve the gMSA’s password from Active Directory. Since we didn’t specify the -PrincipalsAllowedToRetrieveManagedPassword parameter when we created the service account, we can use the Set-ADServiceAccount cmdlet to change that setting on the gMSA. After that, we can install the gMSA on the local system. Below is an example of how to do this.

Set-ADServiceAccount -Identity ServiceManager -PrincipalsAllowedToRetrieveManagedPassword scsm01$;
Install-ADServiceAccount -Identity ServiceManager;

At this point, you should be able to use the gMSA to configure a Windows service. I’m still trying to figure out how to use gMSAs with Scheduled Tasks, but that’s a topic for another time.

References

Technet – Getting Started with Group Managed Service Accounts
Technet – Service Accounts Step-by-Step Guide (Server 2008 R2)
Technet – New-ADServiceAccount (Server 2012)
Technet – Installing a Managed Service Account
Technet Forums – Install-ADServiceAccount: Access Denied
Technet Forums – New-ADServiceAccount: Key Does Not Exist

  • #PowerShell: Creating Active Directory Group Managed Service Accounts (gMSA) http://t.co/4MOCgx47 #itpro #sysadmin #ws2012 #winserv

  • Use #PowerShell to create Active Directory 2012 Group Managed Server Accounts http://t.co/4MOCgx47 #itpro #sysadmin #ws2012 #winserv

  • Use #PowerShell to create an Active Directory Managed Service Account http://t.co/4MOCgx47 #itpro #sysadmin #ws2012 #winserv

  • Use #PowerShell to create Active Directory Group Managed Service Accounts http://t.co/4MOCgx47 #itpro #sysadmin #ws2012 #winserv

  • Nice, one that solved my problem. Thanks Trevor!

    • Hi Bobb, glad to hear that this article helped!! Cheers!

  • Amogh Natu

    Hello, Thanks for the article. I’m completely new to Active Directory. Can you please explain what ‘scsm01$’ is? After running the Set-ADServiceAccount cmdlet, I’m getting an error saying “Cannot find the object with identity ‘scsm01$’ “. Am I missing something?

  • Nemanja Jovic

    @amoghnatu:disqus scsmo01$ represents one host which will be install that specified service account in local store, scsmo01 is name, $ dollar sign represents something like administrative authorization