Questions tagged [managed-service-accounts]
34 questions
11
votes
2 answers
Run command with a Managed Service Account?
I've just granted permissions for a MSA (Managed Service Account) to some resources.
Can I verify it works, by running a cmd.exe process with the credentials of the MSA account, and check I have the proper permissions?
iTayb
- 771
- 4
- 10
- 25
5
votes
1 answer
How can I get a Managed Service Account to use internet proxy settings from Group Policy?
I have a service running on a Windows 2012 R2 domain member server that requires internet access. The service is configured to run under a Managed Service Account and the account is granted local administrator priveliges on the domain member. Group…
Earl Sven
- 187
- 1
- 3
- 11
5
votes
1 answer
How to tell when a managed service account password last changed
We have a managed service account running a service on a Windows 2012 R2 service. The service has a pattern of failing every 30 or 60 days (sometimes 30 days, sometimes 60 days).
One thought we had was the Managed Service Account password change…
Greg
- 463
- 2
- 10
- 22
5
votes
1 answer
How do I fix a non-starting "Microsoft Key Distribution Service"? (not to be confused with Kerberos KDS)
The Microsoft Key Distribution Service is not starting on my DC (kdssvc.dll) and when I look at the event log under Microsoft\Kdssvc, I see the events:
Event ID 4001
Group Key Distribution Service failed to start. Status
0x80070020.
Event ID…
makerofthings7
- 8,821
- 28
- 115
- 196
5
votes
0 answers
Installing MSA (Managed Service Accounts) using Windows deployment tools
I have to install several new application servers (2012R2) for a project which will run IIS and MSMQ. I need to script the complete install, so I need to be able to change permissions on IIS Application Pools for instance. I plan to use MSA's for…
Xenophane
- 51
- 1
4
votes
1 answer
Install Service Account remotely to lots of servers
We have a new process I'm trying to implement, part one of my task basically is change the local administrator password every month and update the password vault with the new password for the administrator team. - this part of my PowerShell script…
Pavle Stojanovic
- 155
- 1
- 5
4
votes
1 answer
Giving permissions to Virtual Service Accounts on domain controllers
The service I'm implementing will run on a domain controller, so I'd like it to have minimal privileges.
Ideally, it would simply run as Local Service. However, it needs to be able to:
monitor performance counters (be a member of Performance…
YaronK
- 141
- 2
3
votes
0 answers
Install Windows Service using chef and have it run using a Group Managed Service Account
I'm trying to setup a number of dev servers using Chef. I need a Windows Service to run as a managed service account. I have the following in a recipe:
windows_service 'My Windows Service' do
action :create
display_name "My Windows Service"
…
Greg
- 463
- 2
- 10
- 22
3
votes
1 answer
Does a Managed Service Account require a domain?
Does a Managed Service Account require a domain?
I am trying to setup a standalone server (no domain) to add managed service accounts to assign for running services instead of creating local user accounts.
I would prefer to use Powershell cmdlets to…
jcolebrand
- 278
- 4
- 27
3
votes
1 answer
Group Managed Service Accounts per service per server (Best practice?) and long names?
I've talked with a few colleagues about what might be best practice for using group managed service accounts in our environment.
It seems that ideally, we would create 1 gMSA per service (e.g. SQL Agent service) per server (e.g. SQLDEV01).
This…
Michael
- 141
- 4
2
votes
1 answer
Does Install-ADSericeAccount modify "NT SERVICE\ALL SERVICES"
I had a problem where newly created Managed Service Accounts did not have "Logon as a service" right. A GPO was excluding "NT SERVICE\ALL SERVICES" from "Logon as a service". This was fixed.
Am I right in thinking that Install-ADServiceAccount adds…
leancz
- 152
- 1
- 7
2
votes
0 answers
Can I use a gMSA for stored credentials in a SSRS data source?
I have an instance of SQL Server 2016 Reporting Services service running under DOMAIN\reporting$ containing a data source that needs to query a database using the stored credential DOMAIN\database$. Unfortunately when I store the gMSA credential and…
Mike
- 1,261
- 5
- 18
- 31
2
votes
0 answers
Can I as a normal user run stuff under a managed service account?
Let's say I have remote access to a server which uses MSA's to run application pools and windows services. Can I as a normal (not elevated) user run program's under those MSA's?
For example
PsExec.exe -u domain\MsaAccount$ cmd.exe
I would say no,…
Martijn B
- 121
- 3
2
votes
1 answer
Using group managed service accounts on OS version < Windows 2012
Trying to leverage benefit of Group-Managed Service Accounts (gMSA) but have a mixed environment. My guide was this blog post: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
I've…
ColPanic
- 21
- 5
2
votes
2 answers
Group Managed Service Accounts: -PrincipalsAllowedToRetrieveManagedPassword
So the documentation for creating gMSAs says that the parameter "-PrincipalsAllowedToRetrieveManagedPassword" should restrict the ability of using the gMSA to the machines that are part of the security groups given in the parameter.…
dsa
- 21
- 1
- 2