Run command with a Managed Service Account?

Question

I've just granted permissions for a MSA (Managed Service Account) to some resources.

Can I verify it works, by running a cmd.exe process with the credentials of the MSA account, and check I have the proper permissions?

score 15 · Accepted Answer · answered Nov 16 '15 at 09:42

15

Possible with Sysinternals' PsExec Tool, with a blank password.

Command example:

PsExec.exe -u domain\MsaAccount$ cmd.exe

answered Nov 16 '15 at 09:42

iTayb

1

Thanks, this works! I had to try it a few times. It gave errors like "The system cannot find the file specified." and "The local account store does not contain secret material for the specified account." but on the 3rd attempt the same command worked. – EM0 Feb 04 '16 at 12:00
Also, the managed service needs to be assigned to the computer on which you're running this, otherwise you get "The username or password is incorrect". We use Managed Service Accounts GUI by Cjwdev for this. – EM0 May 12 '16 at 10:05

score 5 · Answer 2 · answered Nov 16 '17 at 19:38

5

Skip the password prompt by substituting ~ for the password in powershell.

./psexec -i -u domain\gMSA$ -p ~ notepad.exe

answered Nov 16 '17 at 19:38

jhiller

This command worked with `net use`. Seems like without `-i`, the MSA user doesn't have access to the network or some other access error like that. – Paul-Sebastian Feb 26 '21 at 10:02
How did you use net use with the msa account. If I input a blank password it's complains about it. Putting a gibberish password also doesn't work. – Crust3 Mar 12 '21 at 21:47

2 Answers2