Skip to content

Instantly share code, notes, and snippets.

@flandersen
Last active February 9, 2024 14:36
Show Gist options
  • Save flandersen/15f3ae21945f651887aa4f6abb257edf to your computer and use it in GitHub Desktop.
Save flandersen/15f3ae21945f651887aa4f6abb257edf to your computer and use it in GitHub Desktop.
Creating a Secure standalone managed service account (sMSA)

Introcution

I want to run a scheduler task using an sMSA user. The user can only be used on the destination machine and the password is managed by the domain. Standalone managed service accounts (sMSAs) are managed domain accounts that help secure services running on a server.

This procedur describes how an sMSA user is created and how to assign it to a scheduler task.

Create and install sMSA user (Windows Server 2019 Version 1809)

  1. On the domain controller (DC), create the managed service account and assign it to the destination machine.
Import-Module ActiveDirectory
New-ADServiceAccount -SamAccountName "MSA1" -Name "MSA1" `
  -Description "My new sMSA" -RestrictToSingleComputer -Server $(Get-ADDomainController) `
  -Enabled $true
# -SamAccountName restricted to max. 14 characters.
# add the following parameter for custom password renew interval in days
# "-ManagedPasswordIntervalInDays 40" (default: 30 days)

# Get the identity of the target machine to use the new sMSA account on.
$ServerIdentity = Get-ADComputer -identity "Server01"

# Get the identity of the new sMSA we just created.
$MsaIdentity    = Get-ADServiceAccount -Filter "Name -eq 'MSA1'" -Properties *

# Assign the new sMSA account to the one target machine we needed it on.
Add-ADComputerServiceAccount -Identity $ServerIdentity -ServiceAccount $MsaIdentity.SamAccountName
  1. Create a GPO to allow the managed service account to "Log on as a service" respectively "Log on as a batch job" and assign it to the destination machine.
  2. On the destination machine, install the user:
# Install feature for using the PowerShell module "ActiveDirectory".
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

Import-Module ActiveDirectory

# Create a object variable with the new sMSA we just created.
$MsaIdentity = Get-ADServiceAccount -Filter "Name -eq 'MSA1'" -Properties *

# Installs an existing AD sMSA on the computer on which the cmdlet is run.
Install-ADServiceAccount -Identity $MsaIdentity.SamAccountName

# Test that this computer can retrieve the sMSA account password from the AD.
Test-ADServiceAccount -Identity $MsaIdentity.SamAccountName
# Expected result: $true
  1. Test the user account with PowerShell using PsExec from Sysinternal.
PsExec.exe -u "DOMAIN\MSA1$" powershell.exe
> whoami
DOMAIN\MyServiceAccount$
  1. Assigning the user to a service (optional).
    The user can now be assigned to a service. Under tab "Log On", select the new sMSA (domain\MyServiceAccount$) and leave the password empty. The server can now be started with this user.
  2. Assigning the user to an existing Scheduler Task:
# Dollar sign has to be added after the sMSA.
schtasks /Change /TN "MyTask" /RU "MSA1$" /RP""
  1. Assigning the user to a new scheduler task:
# Dollar sign has to be added after the sMSA.
$ScheduleRunTime = (Get-Date).AddDays(1).Date + "09:00:00"
$Trigger = New-ScheduledTaskTrigger -Daily -DaysInterval 1 -At $ScheduleRunTime
$Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument 'C:\Scripts\MyScript.ps1'
$Settings = New-ScheduledTaskSettingsSet -RunOnlyIfNetworkAvailable -WakeToRun
$Principal = New-ScheduledTaskPrincipal -UserID 'DOMAIN\MSA1$' -LogonType Password
Register-ScheduledTask -TaskName "MyNewScheduledTask" -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal

Inspiration taken from: https://cybergladius.com/secure-windows-scheduled-tasks-with-managed-service-accounts/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment