Created
December 17, 2021 23:49
-
-
Save cyberautomate/cc7816bd7fc72d0dc5eb781460c3f2cf to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Step 1 - (on a non-DC) | |
| Add-WindowsFeature RSAT-AD-PowerShell | |
| Step 2 - Create a Security group and add all the hostnames you will use the gMSA on. | |
| These are the computers permitted to retrieve the password from AD | |
| #> | |
| $gMSA_Name = 'svc_sql' | |
| $gMSA_FQDN = 'svc_sql.hall.test' | |
| # Getting all the hostnames from the group | |
| $gMSA_HostNames = Get-ADGroupMember -Identity gMSAs | Select-Object -ExpandProperty Name | |
| # Add the Rootkey | |
| Add-KDSRootKey -EffectiveTime (Get-Date).AddHours(-10) | |
| # Get the principal for the computer account(s) in $gMSA_HostNames | |
| $gMSA_HostsGroup = $gMSA_HostNames | ForEach-Object { Get-ADComputer -Identity $_ } | |
| # Create the gMSA | |
| New-ADServiceAccount -Name $gMSA_Name -DNSHostName $gMSA_FQDN -PrincipalsAllowedToRetrieveManagedPassword $gMSA_HostsGroup | |
| # Install on the target machine | |
| Install-ADServiceAccount svc_sql | |
| # Test the installation | |
| Test-ADServiceAccount svc_sql | |
| # To remove the gMSA | |
| Remove-ADServiceAccount -Identity svc_sql |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment