Versions Compared

Version Old Version 6 New Version 7
Changes made by

Mark Zuk

Mark Zuk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Follow these guidelines to ensure all GYTPOL components function correctly with the gMSA.

Guidelines / Prerequisites

  1. Install GYTPOL dsRequester Server with a regular user account (do not use the gMSA for initial installation).

    1. If the server is yet installed, please refer to this guide to setup and install dsRequester.

  2. Create a security group that will be allowed to retrieve the managed password for the gMSA.

  3. Create and install the gMSA.

  4. Reconfigure GYTPOL Tasks to use the gMSA.

Creating the Security Group (GroupName)

A security group is required to define which computers can retrieve the gMSA's managed password and use it.

Info

This step is crucial before creating the gMSA.

Create the Security Group

  1. Open Active Directory Users and Computers (ADUC) on a Domain Controller.

    1. You can also perform this on the dsRequester server, provided the necessary features are installed as specified in the prerequisites.

  2. Right-click the desired OU, select New > Group, and name it (e.g., gMSA-GYTPOL-Servers).

  3. Set the group type to Security and click OK.

  4. Enter the computer accounts that should have access to the gMSA under the Members tab.

    1. Usually, this will include only the dsRequester server.

Create the gMSA

  1. Identify the name of the gMSA you want to create. For example, gytGMSA.

  2. Determine the group or computer accounts that will have access to use this gMSA.

  3. Open PowerShell as an Administrator on a Domain Controller.

    1. You can also perform this on the dsRequester server, provided the necessary features are installed as specified in the prerequisites.

  4. Run the following command to create the gMSA:

...

Info

  • Replace gytGMSA with your desired gMSA name.

  • Replace domain.com with your domain name.

  • Replace GroupName with the group or computer accounts that will use this gMSAthe name of the group you created (e.g., gMSA-GYTPOL-Servers).

    • The PrincipalsAllowedToRetrieveManagedPassword parameter ensures that only members of the specified group can access the gMSA's credentials. This adds a layer of security and limits access to specific computers or services.

Verify the creation of the gMSA account with:

...