Questions tagged [managed-service-accounts]
38 questions
13
votes
2 answers
Run command with a Managed Service Account?
I've just granted permissions for a MSA (Managed Service Account) to some resources.
Can I verify it works, by running a cmd.exe process with the credentials of the MSA account, and check I have the proper permissions?
iTayb
- 801
5
votes
1 answer
How can I get a Managed Service Account to use internet proxy settings from Group Policy?
I have a service running on a Windows 2012 R2 domain member server that requires internet access. The service is configured to run under a Managed Service Account and the account is granted local administrator priveliges on the domain member. Group…
Earl Sven
- 187
5
votes
1 answer
Does a Managed Service Account require a domain?
Does a Managed Service Account require a domain?
I am trying to setup a standalone server (no domain) to add managed service accounts to assign for running services instead of creating local user accounts.
I would prefer to use Powershell cmdlets to…
jcolebrand
- 308
5
votes
1 answer
How to tell when a managed service account password last changed
We have a managed service account running a service on a Windows 2012 R2 service. The service has a pattern of failing every 30 or 60 days (sometimes 30 days, sometimes 60 days).
One thought we had was the Managed Service Account password change…
Greg
- 483
5
votes
1 answer
Microsoft Key Distribution Service fails to start
The Microsoft Key Distribution Service is not starting on my DC. In the Microsoft\Kdssvc event log, there are:
Event ID 4001
Group Key Distribution Service failed to start. Status
0x80070020.
Event ID 4007
Group Key Distribution Service cannot…
makerofthings7
- 9,081
5
votes
0 answers
Installing MSA (Managed Service Accounts) using Windows deployment tools
I have to install several new application servers (2012R2) for a project which will run IIS and MSMQ. I need to script the complete install, so I need to be able to change permissions on IIS Application Pools for instance. I plan to use MSA's for…
Xenophane
- 51
4
votes
1 answer
Install Service Account remotely to lots of servers
We have a new process I'm trying to implement, part one of my task basically is change the local administrator password every month and update the password vault with the new password for the administrator team. - this part of my PowerShell script…
Pavle Stojanovic
- 155
4
votes
1 answer
Giving permissions to Virtual Service Accounts on domain controllers
The service I'm implementing will run on a domain controller, so I'd like it to have minimal privileges.
Ideally, it would simply run as Local Service. However, it needs to be able to:
monitor performance counters (be a member of Performance…
YaronK
- 141
3
votes
1 answer
Can I use a gMSA for stored credentials in a SSRS data source?
I have an instance of SQL Server 2016 Reporting Services service running under DOMAIN\reporting$ containing a data source that needs to query a database using the stored credential DOMAIN\database$. Unfortunately when I store the gMSA credential and…
Mike
- 1,303
3
votes
0 answers
Install Windows Service using chef and have it run using a Group Managed Service Account
I'm trying to setup a number of dev servers using Chef. I need a Windows Service to run as a managed service account. I have the following in a recipe:
windows_service 'My Windows Service' do
action :create
display_name "My Windows Service"
…
Greg
- 483
3
votes
1 answer
Group Managed Service Accounts per service per server (Best practice?) and long names?
I've talked with a few colleagues about what might be best practice for using group managed service accounts in our environment.
It seems that ideally, we would create 1 gMSA per service (e.g. SQL Agent service) per server (e.g. SQLDEV01).
This…
Michael
- 141
2
votes
1 answer
Does Install-ADSericeAccount modify "NT SERVICE\ALL SERVICES"
I had a problem where newly created Managed Service Accounts did not have "Logon as a service" right. A GPO was excluding "NT SERVICE\ALL SERVICES" from "Logon as a service". This was fixed.
Am I right in thinking that Install-ADServiceAccount adds…
leancz
- 152
2
votes
2 answers
How to find owner of a aws account with account number
I inherited a couple of AWS environments. I have been recently doing security audits of s3 and found several policies with principals containing aws account numbers I don't know and nobody at my company are familiar with them either. So I want to…
user176373
- 63
2
votes
0 answers
Can I as a normal user run stuff under a managed service account?
Let's say I have remote access to a server which uses MSA's to run application pools and windows services. Can I as a normal (not elevated) user run program's under those MSA's?
For example
PsExec.exe -u domain\MsaAccount$ cmd.exe
I would say no,…
Martijn
- 121
2
votes
1 answer
Schedule Windows Task with Managed Service Account on DC
I have downloaded a script from TechNet and i am scheduling this with the MSA(Manage Service Account) on a DC. I get the error
Task Scheduler launched "{!@#!#!@#}" instance of task "\TasknamE" for user "MSA$" .
Task Scheduler failed to start…
Pasha
- 253