Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,726 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
- Ensure the gMSA is Active on All Target Servers:
- On each application server, install the AD PowerShell module and run:
Test-ADServiceAccount -Identity "New-gMSA" - If the result is
True, the server can retrieve and use the gMSA.
- On each application server, install the AD PowerShell module and run:
- Grant Permissions to Use the gMSA:
- Ensure the service has the correct permissions. On the server, run:
Add-ADComputerServiceAccount -Identity <AppServerName> -ServiceAccount "New-gMSA"
- Ensure the service has the correct permissions. On the server, run:
- Stop the Service to Update Credentials:
- On each server, stop the service that needs to use the gMSA:
Stop-Service -Name "<ServiceName>"
- On each server, stop the service that needs to use the gMSA:
- Update the Service to Use the gMSA:
- Use the following command to update the service credentials:
$serviceName = "<ServiceName>"
- Use the following command to update the service credentials:
$gMSA = "New-gMSA$" # Add $ to indicate gMSA Set-Service -Name $serviceName -StartupType Automatic sc.exe config $serviceName obj= $gMSA password= "" ```
- Grant Logon as a Service Right:
- Use Group Policy or manually grant the gMSA "Log on as a Service" permission. You can set this locally:
ntrights -u "New-gMSA" +r SeServiceLogonRight
- Use Group Policy or manually grant the gMSA "Log on as a Service" permission. You can set this locally:
- Start the Service with gMSA:
- Start the service with the new credentials:
Start-Service -Name "<ServiceName>"
- Start the service with the new credentials:
- Verify the Service is Running Properly:
- Check that the service is running without issues:
Get-Service -Name "<ServiceName>"
- Check that the service is running without issues:
Automating for Multiple Servers and Services
You can automate the steps using PowerShell remoting across multiple servers. Here’s a sample script for multiple servers:
$servers = @("AppServer1", "AppServer2", "AppServer3")
$serviceName = "<ServiceName>"
foreach ($server in $servers) {
Invoke-Command -ComputerName $server -ScriptBlock {
Stop-Service -Name $using:serviceName
sc.exe config $using:serviceName obj= "New-gMSA$" password= ""
Start-Service -Name $using:serviceName
}
}
Important Considerations
- Restart Servers: Some services may require a server reboot to correctly apply the gMSA.
- Firewall & Policy Configs: Ensure no group policies or firewalls block the new service account from accessing necessary resources.
- Testing: Always test in a staging environment before rolling out changes in production.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin