Versions Compared

Version Old Version 4 New Version 5
Changes made by

Mark Zuk

Mark Zuk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Install GYTPOL dsRequester Server with a regular user account (do not use the gMSA for initial installation).

    1. If the server is yet installed, please refer to this guide to setup and install dsRequester.

  2. Create a security group that will be allowed to retrieve the managed password for the gMSA.

  3. Create and install the gMSA account.

  4. Reconfigure key GYTPOL componentsTasks to use the gMSA account.

Create the gMSA

  1. Identify the name of the gMSA you want to create. For example, gytGMSA.

  2. Determine the group or computer accounts that will have access to use this gMSA.

  3. Open PowerShell as an Administrator on a Domain Controller.

  4. Run the following

...

  1. command to create the gMSA:

Code Block
languagepowershell
New-ADServiceAccount gytgmsa -DNSHostName demosrv1.demo.comName "gytGMSA" -PrincipalsAllowedToRetrieveManagedPassword 'Gytpol Servers' -ManagedPasswordIntervalInDays 1
Info
'Gytpol Servers' refers to a pre-created Active Directory group containing the computer account(s) of the GYTPOL server(s) where the gMSA will be installed
"GroupName"
Info

  • Replace gytGMSA with your desired gMSA name.

  • Replace GroupName with the group or computer accounts that will use this gMSA.

Verify the creation of the gMSA account with:

Code Block
languagepowershell
Get-ADServiceAccount "gytgmsagytGMSA"

Install the gMSA on the GYTPOL Server

  1. Log in to the GYTPOL dsRequester Windows server.

  2. Run the following PowerShell commandOpen PowerShell as an Administrator.

  3. Install the gMSA using:

    Code Block
    languagepowershell
    Install-ADServiceAccount -Identity "gytgmsagytGMSA"

  4. Test the gMSA installation:

    Code Block
    languagepowershell
    Test-ADServiceAccount "gytgmsa"

Assign Permissions for gMSA

...

  1. gytGMSA"
Info

A True result indicates that the account is ready to use.

Use the gMSA for Local Administrators and Batch Privileges

Granting gMSA Local Administrator Privileges

  1. Add the gMSA to the local Administrators group on the GYTPOL server.Grant the using Powershell as Administrator. Replace Domain\gytGMSA$ with the gMSA's name and domain.

    Code Block
    languagepowershell
    Add-LocalGroupMember -Group "Administrators" -Member "Domain\gytGMSA$"
Info

The $ is required at the end of the gMSA name.

Adding the gMSA to "Log on as a Batch Job" Policy

The "Log on as a batch job"

...

privilege allows the gMSA to execute tasks such as scheduled tasks or batch processes. Here's how to grant this privilege:

Open Local Security Policy

...

  1. Log in to the target machine as an administrator.

  2. Press Win + R, type secpol.msc

    ).Go to

    , and press Enter to open the Local Security Policy console.

Locate the Policy

  1. In the left pane, navigate to: Security Settings > Local Policies > User Rights Assignment

    .Find "

  2. In the right pane, double-click Log on as a batch job

    ", right-click, and select Properties.Click

    .

Add the gMSA

  1. In the Properties window, click Add User or Group

    , enter the gMSA, and confirm

    .

  2. In the dialog box, click Advanced, then click Find Now.

  3. Search for the gMSA account. The account will appear as Domain\MyGMSA$.

  4. Select the gMSA and click OK.

Apply and Close

  1. Click Apply and then OK to save the changes.

  2. Close the Local Security Policy console.

Domain Permissions:

  1. Add the gMSA to the "Performance Log Users" group in the domain.

Reconfigure GYTPOL

...

Tasks to

...

use the gMSA

Update Scheduled Tasks:

Modify all gytpolServer scheduled tasks (3 in total) to run under the gMSA

...

  1. Set the task to use the gMSA username (gytgmsa$) with an empty password.

    image-20250117-160308.pngImage Removed

...

Execute the tasks manually:

  • Right click and run all three tasks.

  • Monitor the tasks to ensure they are running without failures.

Script example:.

...

Follow these steps to use the script (be sure to modify the gMSA name as needed):

  1. Open PowerShell ISE as an Administrator.

  2. Copy and paste the script into the editor.

  3. Run the script and verify the results.

Code Block
languagepowershell
# Define the gMSA Name (Hardcoded)
$gMSAName = "gytgMSA$" # Include the $ suffix for the gMSA

# Set the Run Level
$runLevel = "Highest" # Options: Highest, Limited, etc.

# Array of Task Names
$taskNames = @("gytpolServer", "gytpolServerDaily", "gytpolServerWeekly")

# Loop through each task and update the principal
foreach ($taskName in $taskNames) {
    # Create the Scheduled Task Principal
    $principal = New-ScheduledTaskPrincipal -UserID $gMSAName -LogonType Password -RunLevel $runLevel

    # Update the Scheduled Task with the new Principal
    Set-ScheduledTask -TaskName $taskName -Principal $principal

    Write-Host "Updated task: $taskName with gMSA: $gMSAName"
}

After the script runs successfully, the following output should appear on your screen:

...

Manually execute the tasks by right-clicking on them and selecting Run.

Verify that they remain in the "Running" status and do not terminate immediately.

...