Monday, May 4, 2020

gMSA Account Configuration (PowerShell)


Step 1 - We need to create KDS root key. This need to run from the domain controller with domain admin or enterprise admin privileges. 

For production Environment use below command in PowerShell

Add-KdsRootKey –EffectiveImmediately

In testing environment use below command to remove the waiting time

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

To check whether it's created or not.

Get-KdsRootKey

Step 2 − Create below command to create gMSA user

New-ADServiceAccount “gmsauser” -DNSHostName “dc1.example.com”
-PrincipalsAllowedToRetrieveManagedPassword "gmsaGroup"

Step 3 – Use the below step to provide read access to the host server
a) Server Manager => Tools => Active Directory Administrative Center
b) locate created gmsa user
c) Security add each of the domain controllers with read access
d) SHOULD HAVE added the actual client machine.
f) Reboot each server including DCs

Step 4 − To install gMSA on a server → open PowerShell terminal and type in the following commands
ADServiceAccount – Identity gmsauser
ADServiceAccount gmsa1

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Featured post

System-preferred multifactor authentication (MFA)

Popular Posts

  • PowerShell Passthru Parameter
    There are many Windows PowerShell cmdelts that simply work, and they do not return any data. Here with the Passthru parameter, PowerS...
  • Windows Secure Boot
    It is feature of recent windows, windows 8 and later windows, which supports UEFI (Unified Extensible Firmware Interface) it help to preven...
  • Want to hide output in PowerShell ?
    Out-Null  When we execute any command in cmdlet, usually it send its result down the pipe line . In other words, we can say if we execute an...