4

We have a new process I'm trying to implement, part one of my task basically is change the local administrator password every month and update the password vault with the new password for the administrator team. - this part of my PowerShell script is fine.

We also are going to use managed service accounts, I will use a managed service account to run my PowerShell script to change the password on every server remotely. - this is my problem.

To use the service account like this I'm creating a group to place servers in then creating a service account linking it:

New-ADServiceAccount -Name "serviceaccount" -DNSHostName "serviceaccount.domain.com" -Path "OU=ServiceAccounts,DC=domain,DC=com" -PrincipalsAllowedToRetrieveManagedPassword "gMSA-ServerGroup"

This is all great... but to install on every server 0_o remotely doesn't work with this command: Install-ADServiceAccount -Identity "serviceaccount"

Unless I am logged into the server that requires it, I have tested this, Open PowerShell and run the command, no error tested and perfect!.

This doesn't work:

Invoke-Command -ComputerName $server -Credential $credentials -ScriptBlock {
 #try to install service account
 Install-ADServiceAccount -Identity "serviceaccount"
}

Anyone have this problem ?

Can I do it a different way, maybe through Group Policy.

Server OS varies: 2008, 2012 and 2016

Pavle Stojanovic
  • 155
  • 1
  • 5
  • 1
    Might be a delegation issue, i.e., the Install-AdServiceAccount command running on the remote server is trying to access the Active Directory on your behalf and can't because of the way the remote command is running. Perhaps try running it with the psexec tool and the `-s` flag so that it runs as the remote server (i.e., as local system on the remote server) rather than as you? (Or there may be a way to do the same thing in Powershell, I don't know.) – Harry Johnston Feb 16 '19 at 22:02
  • 1
    To answer *this* question, although I still highly recommend my suggestion below, it's probably a double-hop issue with PS Remoting, and you'll need to fiddle with CredSSP to get it working - http://www.codeproject.com/Tips/847119/Resolve-Double-Hop-Issue-in-PowerShell-Remoting – LeeM Feb 18 '19 at 05:33
  • Agreed; its a double-hop problem. – Semicolon Feb 21 '19 at 17:15

1 Answers1

2

I highly recommend using Microsoft's own solution, LAPS, to manage local Admin passwords.

It's basically a group policy extension that changes the passwords and stores them in a hashed attribute on the Computer account in AD. You use your normal AD tools, including Powershell, to manage it. There's a little GUI tool that can be installed anywhere (such as a management computer).

No service account required, but you need to install a DLL on the client machines and do a bit of (simple) tweaking of AD permissions.

More info and download here. The download package has a deployment guide in it.

LeeM
  • 1,218
  • 9
  • 13