Versions Compared

Version Old Version 7 New Version 8
Changes made by

Mark Zuk

Mark Zuk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Guidelines / Prerequisites

  1. Install GYTPOL dsRequester Server with a regular user account (do not use the gMSA for initial installation).

    1. If the server is yet installed, please refer to this guide to setup and install dsRequester.

  2. Create a security group that will be allowed to retrieve the managed password for the gMSA.

  3. Create and install the gMSA.

  4. Reconfigure GYTPOL Tasksto use the gMSA.

Creating the Security Group (GroupName)

A security group is required to define which computers can retrieve the gMSA's managed password and use it.

Infonote

This step is crucial before creating the gMSA.

...

  1. Log in to the GYTPOL dsRequester server.

  2. Open PowerShell as an Administrator.

  3. Install the gMSA using:

    Code Block
    languagepowershell
    Install-ADServiceAccount -Identity "gytGMSA"

  4. Test the gMSA installation:. A True result indicates that the account is ready to use.

    Code Block
    languagepowershell
    Test-ADServiceAccount "gytGMSA"
Info

A True result indicates that the account is ready to use.

...

Add the gMSA to Local Administrators group and Logon as a Batch Privilege on the dsRequester server

Granting gMSA Local Administrator Privileges

...

The "Log on as a batch job" privilege allows the gMSA to execute tasks such as scheduled tasks or batch processes. Here's how to grant this privilege:

  1. Open Local Security Policy

...

  1. Log in to the target machine as an administrator.

  2. :

    1. Press Win + R, type secpol.msc, and press Enter

    to open the Local Security Policy console

    1. .

  3. Locate the Policy

...

  1. In the left pane, navigate to: :

    1. Go to Security Settings > Local Policies > User Rights Assignment

    In the right pane, double

    1. .

    2. Double-click Log on as a batch job.

  2. Add the gMSA

...

  1. In the Properties window, click :

    1. Click Add User or Group

    .In the dialog box, click Advanced, then click Select the gMSA

    1. > Advanced > Find Now.

  2. Search for the gMSA account. The account will appear as Domain\MyGMSA$.

    1. Select Domain\gytGMSA$ and click OK.

  4. Apply

...

  1. Changes:

    1. Click Apply

    and then

    1. > OK to save

    the changes.

  2. Close the Local Security Policy console.

Domain Permissions:

  1. Add the gMSA to the "Performance Log Users" group in the domain

    1. and close.

Adding the gMSA to the "Performance Log Users" Group in the Domain

  1. Open Active Directory Users and Computers on the dsRequester Server:

    • Press Win + R, type dsa.msc, and press Enter.

  2. Locate the Group:

    • Navigate to the Built-in container or the location of the Performance Log Users group.

  3. Add the gMSA:

    • Double-click Performance Log Users and go to the Members tab.

    • Click Add > Advanced > Find Now.

    • Select Domain\gytGMSA$ and click OK.

  4. Apply Changes:

    • Click Apply > OK to save and close.

Reconfigure GYTPOL Tasks to use the gMSA

Update Scheduled Tasks:

Modify Update all gytpolServer scheduled tasks (3 in total) to run under the gMSA.

Ensure all tasks are executing as the user who originally installed the dsRequester (not the gMSA), following the instructions in Prerequisites Step 1.

...

Follow these steps to use the script (be sure to modify the gMSA name as needed):

  1. Open PowerShell ISE as an Administrator.

  2. Copy and paste the script into the editor.

  3. Run the script and verify the results.

...