5

I have to install several new application servers (2012R2) for a project which will run IIS and MSMQ. I need to script the complete install, so I need to be able to change permissions on IIS Application Pools for instance. I plan to use MSA's for this, since I do not have to deal with passwords in the deployment scripts.

My issue is that the "deployment solution agent" runs as Local System on the machines, which does not have permissions to update the required settings in AD to "install" the MSA on the local machine.

Has anyone gotten this to work? I assume I can delegate permissions on the specific computer account, but that could get messy as well.

SamErde
  • 3,324
  • 3
  • 23
  • 42
Xenophane
  • 51
  • 1
  • 2
    "*any user with Create/Delete msDS-ManagedServiceAccount permissions can also administer these managed service accounts*" - https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx I seriously would consider at least testing this - grant the "Create msDS-ManagedServiceAccount" right to the computer account (or group of computer accounts) on the "Managed Service Accounts" container and see if it works. I can't see how it is any more messy than the alternatives. – the-wabbit Jan 22 '15 at 15:15

0 Answers0