Overview
This guide provides step-by-step instructions for configuring an on-premises GYTPOL dsRequester Server to use a Group Managed Service Account (gMSA).
Follow these guidelines to ensure all GYTPOL components function correctly with the gMSA.
Guidelines
Install GYTPOL dsRequester Server with a regular user account (do not use the gMSA for initial installation).
If the server is yet installed, please refer to this guide to setup and install dsRequester.
Create and install the gMSA account.
Reconfigure key GYTPOL components to use the gMSA account.
Create the gMSA
Run the following PowerShell command to create the gMSA:
New-ADServiceAccount gytgmsa -DNSHostName demosrv1.demo.com -PrincipalsAllowedToRetrieveManagedPassword 'Gytpol Servers' -ManagedPasswordIntervalInDays 1
'Gytpol Servers' refers to a pre-created Active Directory group containing the computer account(s) of the GYTPOL server(s) where the gMSA will be installed.
Verify the creation of the gMSA account with:
Get-ADServiceAccount "gytgmsa"
Install the gMSA on the GYTPOL Server
Log in to the GYTPOL dsRequester Windows server.
Run the following PowerShell command:
Install-ADServiceAccount -Identity "gytgmsa"
Test the gMSA installation:
Test-ADServiceAccount "gytgmsa"
Grant the gMSA Proper Permissions
Assign local permissions:
Add the gMSA to the local Administrators group on the GYTPOL server.
Grant "Log on as a batch job" on the GYTPOL server and add the gMSA to the "Performance Log Users" group in the domain.
Set Active Directory permissions:
Grant the gMSA the necessary AD permissions for the GYTPOL Server to operate under its identity.
Reconfigure GYTPOL Components to Use the gMSA
Update Scheduled Tasks:
Modify all gytpolServer scheduled tasks to run under the gMSA:
Set the task to use the gMSA username (
gytgmsa$) with an empty password.
Execute the tasks manually:
Right click and run all three tasks.
Monitor the tasks to ensure they are running without failures.