Page Comparison

Overview

This guide provides step-by-step instructions for configuring an on-premises GYTPOL dsRequester Server to use a Group Managed Service Account (gMSA).

Follow these guidelines to ensure all GYTPOL components function correctly with the gMSA.

Guidelines / Prerequisites

1. Install GYTPOL dsRequester Server with a regular user account (do not use the gMSA for initial installation).

   1. If the server is yet installed, please refer to this guide to setup and install dsRequester.

2. Create a security group that will be allowed to retrieve the managed password for the gMSA.

3. Create and install the gMSA.

4. Reconfigure GYTPOL Tasksto use the gMSA.

Creating the Security Group (GroupName)

A security group is required to define which computers can retrieve the gMSA's managed password and use it.

Create the Security Group

1. Open Active Directory Users and Computers (ADUC) on a Domain Controller.

   1. You can also perform this on the dsRequester server, provided the necessary features are installed as specified in the prerequisites.

2. Right-click the desired OU, select New > Group, and name it (e.g., gMSA-GYTPOL-Servers).

3. Set the group type to Security and click OK.

4. Enter the computer accounts that should have access to the gMSA under the Members tab.

   1. Usually, this will include only the dsRequester server.

Create the gMSA

1. Identify the name of the gMSA you want to create. For example, gytGMSA.

2. Determine the group or computer accounts that will have access to use this gMSA.

3. Open PowerShell as an Administrator on a Domain Controller.

   1. You can also perform this on the dsRequester server, provided the necessary features are installed as specified in the prerequisites.

4. Run the following command to create the gMSA:

...

Get-ADServiceAccount "gytGMSA"

Install the gMSA on the GYTPOL Server

1. Log in to the GYTPOL dsRequester server.

2. Open PowerShell as an Administrator.

3. Install the gMSA using:

   Code Block
   language powershell
   Install-ADServiceAccount -Identity "gytGMSA"

4. Test the gMSA installation. A True result indicates that the account is ready to use.

   Code Block
   language powershell
   Test-ADServiceAccount "gytGMSA"

Add the gMSA to Local Administrators group and Logon as a Batch Privilege on the dsRequester server

Granting gMSA Local Administrator Privileges

1. Add the gMSA to the local Administrators group using Powershell as Administrator. Replace Domain\gytGMSA$ with the gMSA's name and domain.

   Code Block
   language powershell
   Add-LocalGroupMember -Group "Administrators" -Member "Domain\gytGMSA$"

Adding the gMSA to "Log on as a Batch Job" Policy

The "Log on as a batch job" privilege allows the gMSA to execute tasks such as scheduled tasks or batch processes. Here's how to grant this privilege:

1. Open Local Security Policy:

   1. Press Win + R, type secpol.msc, and press Enter.

2. Locate the Policy:

   1. Go to Security Settings > Local Policies > User Rights Assignment.

   2. Double-click Log on as a batch job.

3. Add the gMSA:

   1. Click Add User or Group > Advanced > Find Now.

   2. Select Domain\gytGMSA$ and click OK.

4. Apply Changes:

   1. Click Apply > OK to save and close.

Adding the gMSA to the "Performance Log Users" Group in the Domain

1. Open Active Directory Users and Computers on the dsRequester Server:

   • Press Win + R, type dsa.msc, and press Enter.

2. Locate the Group:

   • Navigate to the Built-in container or the location of the Performance Log Users group.

3. Add the gMSA:

   • Double-click Performance Log Users and go to the Members tab.

   • Click Add > Advanced > Find Now.

   • Select Domain\gytGMSA$ and click OK.

4. Apply Changes:

   • Click Apply > OK to save and close.

Reconfigure GYTPOL Tasks to use the gMSA

Update Scheduled Tasks:

Update all gytpolServer scheduled tasks (3 in total) to run under the gMSA.

...