Unable to use security group to grant password permissions for gMSA

Chris McKenzie 21 Reputation points
2020-09-16T23:48:17.857+00:00

Hi there,

I don't seem to be able to allow a group to retrieve a managed password for a group managed service account.

Yesterday we deployed a pilot of Azure ATP, and that's all working fine. However when dealing with the gMSA's property for principals allowed to retrieve the password, 'PrincipalsAllowedToRetrieveManagedPassword', it seems this only functions when I add the computer objects directly.

Currently the permissions allocated for retrieving the password are set to two computers and a group which has three computers as members (the first two computers are members of the group) Only the third computer is not able to get permissions to retrieve the password from AD at the moment. When first setting up the gMSA, the first two computers were unable to get the credentials as only the group was added to the property.

I'm not entirely sure what I'm missing. Are there any additional permissions I need to set?

Here is the contents from my powershell window with respect to the delegation and retrieve settings.

PrincipalsAllowedToDelegateToAccount :
{CN=AzureATPServers$,OU=_Operational,DC=domain,DC=internal}

PrincipalsAllowedToRetrieveManagedPassword :
{CN=PC1,OU=DomainControllers,DC=domain,DC=internal
CN=PC2,OU=DomainControllers,DC=domain,DC=internal
CN=AzureATPServers$,OU=_Operational,DC=domain,DC=internal}

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,382 questions
0 comments
Accepted answer
  1. Hannah Xiong 6,276 Reputation points
    2020-09-21T05:44:40.823+00:00

    Hello,

    Thank you so much for your feedback.

    So sorry to hear that it did not work when working with a security group. According to this document:

    "While you could grant individual computer objects the ability to use the gMSA, creating a security group to hold these computer objects will give you more administrative flexibility. The only downside to using a group is that, computers/hosts will need to be re-booted after being added/removed from the group to reflect membership changes.

    Next, you must use PowerShell (with the Server 2012 AD cmdlets) to create the gMSA. For creation, you must specify a name (SamAccountName) and dnsname. You’ll also want to specify the group allowed to use the gMSA and potentially SPNs for the account."

    Reference: https://support.imanami.com/hc/en-us/articles/360012292593-How-To-Configure-Group-Managed-Service-Account-for-GroupID

    Hope this information is helpful. Thank you so much for your time and support.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,276 Reputation points
    2020-09-17T07:29:20.49+00:00

    Hello,

    Thank you so much for posting here.

    "When creating the gMSA you need to specify the computer accounts that will be allowed to make use of the gMSA. The gMSA will not work on any computers that are not specified in the PrincipalsAllowedToRetrieveManagedPassword attribute. You can specify the computer accounts using a comma separated list, or you can specify a security group, and then add the computer accounts to the security group instead. "

    For more information, we could refer to:

    https://secureinfra.blog/2020/04/15/create-a-group-managed-service-account-gmsa/

    Hope the information might be of some help to you. Thank you so much for your time and support.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.