I’ve recently been trying to learn more about Active Directory Managed Service Accounts (MSAs), which are basically self-managing service accounts. You don’t have to manage the Service Principal Name (SPN) or password for MSAs, which makes them very good choices for running applications. You can read more about MSAs on Microsoft Technet at this URL.
Similar to MSAs are local “virtual accounts.” These do not have password to manage, and they can automatically manage their SPNs. These are not within the scope of discussion, however there are some links in the References section, which might help you to get more information about them.
Creating a Group Managed Service Account with PowerShell
I’ve been trying to create a MSA using PowerShell using the command below, but I kept getting an error. There is a Technet discussion forum post that addresses this same issue. In my scenario, I was running the command on a Windows Server 2012 domain controller.
PS C:\Users\Administrator> New-ADServiceAccount -Name ServiceManager -DNSHostName dc01;
New-ADServiceAccount : Key does not exist
At line:1 char:1
+ New-ADServiceAccount -Name ServiceManager -DNSHostName dc01;
+ CategoryInfo : NotSpecified: (CN=ServiceManag...DC=mybiz,DC=loc:String) [New-ADServiceAccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:-2146893811,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount
As it turns out, there is a new service in Windows Server 2012 called the Key Distribution Service (KDS), which is implemented in kdssvc.dll. This service is required in order to create and use Group Managed Service Accounts (MSAs), which are a new concept to Windows Server 2012. Windows Server 2008 R2 introduced the concept of a stand-alone MSA, which could only apply to one service at a time. In order to support the creation of these new group MSAs, we will need to add a new KDS “root key.” If you’re working in a lab / test environment, and have only a handful of domain controllers, then you can use the command shown below to create the root key.
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));
After running this command, you should be able to re-run the
New-ADServiceAccount cmdlet successfully (see screenshot below). If you are running your Active Directory forest at the Windows Server 2012 functional level, then you will have created a Group Managed Service Account (gMSA).
Installing the Group Managed Service Account (gMSA) with PowerShell
Next, we need to install the gMSA onto the server that we want to use it on. We can use the
Install-ADServiceAccount PowerShell cmdlet to do that. But first things first, we need to ensure that the server we are going to install it on has permission to retrieve the gMSA’s password from Active Directory. Since we didn’t specify the -PrincipalsAllowedToRetrieveManagedPassword parameter when we created the service account, we can use the
Set-ADServiceAccount cmdlet to change that setting on the gMSA. After that, we can install the gMSA on the local system. Below is an example of how to do this.
Set-ADServiceAccount -Identity ServiceManager -PrincipalsAllowedToRetrieveManagedPassword scsm01$;
Install-ADServiceAccount -Identity ServiceManager;
At this point, you should be able to use the gMSA to configure a Windows service. I’m still trying to figure out how to use gMSAs with Scheduled Tasks, but that’s a topic for another time.
Technet – Getting Started with Group Managed Service Accounts
Technet – Service Accounts Step-by-Step Guide (Server 2008 R2)
Technet – New-ADServiceAccount (Server 2012)
Technet – Installing a Managed Service Account
Technet Forums – Install-ADServiceAccount: Access Denied
Technet Forums – New-ADServiceAccount: Key Does Not Exist