Last active
January 28, 2023 05:31
-
-
Save wcbutler/f78fa6338c7c26ed1bd8900f7d720622 to your computer and use it in GitHub Desktop.
Creating a Managed Service Account on the domain
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
These steps can be done from a remote PC but needs AD tools installed under features. | |
1. Add role and feature, Features, Remote Server Administration Tools, Roles Administration Tools and install AD DS and AD LSD Tools OR install with command: | |
Install-WindowsFeature RSAT-AD-Powershell | |
Possibly Reboot | |
Start PowerShell with Active Directory Module or start PowerShell. Note, run as your OU domain account if you're not logged in with that in your session. | |
OR Launch PowerShell and import the AD module with: | |
Import-Module ActiveDirectory | |
2. Create an MSA with: | |
New-ADServiceAccount -Name yoursvcaccountname.svc -path "OU=MSA,OU=Service Accounts,OU=Departmental Users,OU=HERE,OU=COM,DC=domain,DC=ad,DC=url,DC=com" -enabled $true -RestrictToSingleComputer | |
(Note: your domain might limit the characters allowed) | |
(I've noticed if you do this at the server you want it live on, sometimes this will make it into a gMSA. If it asks you for a host name, then that is the case.) | |
3. Associate the new MSA with a target computer in Active Directory | |
Add-ADComputerServiceAccount -Identity name-of-pc1 -ServiceAccount yoursvcaccountname.svc | |
4. Logon to the machine where you want the MSA | |
5. Enable AD DS toolkit under features (Remote Server Administration Tools » Role Administration Tools) | |
6. Follow Step 1 above in the machine | |
7. Install the MSA. You will NEED to have PowerShell running on the machine. Run as Administrator or this will throw an error | |
Install-ADServiceAccount -Identity yoursvcaccountname.svc | |
You can now use the MSA locally. | |
8. Log in to Computer Management, go to Services | |
9. Change log on for the service you want to change to DOMAIN/yoursvcaccountname.svc% or browse (and change the search to allow service accounts) | |
10. Seemed like I had to add the MSA to the Administrators' group for thing to work correctly | |
Alternatively, here is a PowerShell script, make sure you are using your .admin and running PowerShell as an administator: | |
$MSAName = "yoursvcaccountname.svc" | |
$SrvName = "name-of-pc1" | |
Import-Module ActiveDirectory | |
New-ADServiceAccount -Name $MSAName -path "OU=MSA,OU=Service Accounts,OU=Departmental Users,OU=HERE,OU=COM,DC=domain,DC=ad,DC=url,DC=com" -enabled $true | |
Add-ADComputerServiceAccount -Identity $SrvName -ServiceAccount $MSAName | |
Install-ADServiceAccount -Identity $MSAName | |
To remove a MSA as a service, run CMD as an administrator and | |
sc config CrossFireServerComponentFramework obj= domain\username password= PASSWORD | |
(note above just puts some junk in there and then will let you change it) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment