Group Managed Service Accounts: -PrincipalsAllowedToRetrieveManagedPassword

Question

So the documentation for creating gMSAs says that the parameter "-PrincipalsAllowedToRetrieveManagedPassword" should restrict the ability of using the gMSA to the machines that are part of the security groups given in the parameter. E.g.

New-ADServiceAccount -name dev-service -DNSHostName dev-service -PrincipalsAllowedToRetrieveManagedPassword gMSA-dev-service-allowed-hosts

should, as I understand it, allow only the machines that are part of the security group "gMSA-dev-service-allowed-hosts" to access the password of the the account dev-service thereby limiting the machines that can use the account.

My problem is that I can not get it to work that way. Even on a machine that is not a member of "gMSA-dev-service-allowed-hosts", the account can be used without problem.

Did I misunderstand the meaning of -PrincipalsAllowedToRetrieveManagedPassword ?

Thanks

Best,

dsa

Answer 1

Setting the -PrincipalsAllowedToRetrieveManagedPassword restricts the use of Install-ADServiceAccount, which is another step that must happen before you're able to use the gMSA. Once the gMSA is installed, the service will start regardless the PrincipalsAllowed setting until the managed password changes.

Any computer using the gMSA that is not included in the PrincipalsAllowed entities will not be able to change the managed password, nor will it be able to retrieve a managed password from the domain after it was changed. If the gMSA managed password was changed by a computer that has the privileges to do so, that will cause logon failures for services running on computers that are not in the PrincipalsAllowed entities.

You must ensure that every computer running services using a particular gMSA is included in the PrincipalsAllowed entities for that gMSA, or it will cause problems with starting/restarting services down the line (a month later, as the default managed password changes are scheduled at 30 days).

https://technet.microsoft.com/en-us/library/hh852196%28v=wps.630%29.aspx

Notes To successfully install a managed service account, the service account should have the PrincipalsAllowedToRetrieveManagedPassword parameter option set first by using either the New-ADServiceAccount or Set-ADServiceAccount cmdlet first. Otherwise, installation will fail.

E.g.

# Running this on APPSERVER1

$appServer1 = Get-ADComputer APPSERVER1
$appServer2 = Get-ADComputer APPSERVER2

$gMSA = New-ADServiceAccount 'APP1' -PrincipalsAllowedToRetrieveManagedPassword $appServer2 -DnsHostName 'APP1'

Install-ADServiceAccount 'APP1'
Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount 'APP1'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (APP1:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount

Set-ADServiceAccount 'APP1' -PrincipalsAllowedToRetrieveManagedPassword $appServer1

Install-ADServiceAccount 'APP1'

The last command will now succeed. Once you configure the service credentials, the service will start.

Set-ADServiceAccount 'APP1' -PrincipalsAllowedToRetrieveManagedPassword $appServer2

Now, restarting the service will still work. However, if you perform an Uninstall-ADServiceAccount and then try to re-install it, you will get the same error shown above.

Starting the service will also fail with a logon failure if the password was changed by APPSERVER2 in the meantime.

Answer 2

Make sure you examine the output of the following:

Test-ADServiceAccount dev-service