Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 7 Next »

Overview

This guide provides step-by-step instructions for configuring an on-premises GYTPOL dsRequester Server to use a Group Managed Service Account (gMSA).

Follow these guidelines to ensure all GYTPOL components function correctly with the gMSA.

Guidelines / Prerequisites

  1. Install GYTPOL dsRequester Server with a regular user account (do not use the gMSA for initial installation).

    1. If the server is yet installed, please refer to this guide to setup and install dsRequester.

  2. Create a security group that will be allowed to retrieve the managed password for the gMSA.

  3. Create and install the gMSA.

  4. Reconfigure GYTPOL Tasks to use the gMSA.

Creating the Security Group (GroupName)

A security group is required to define which computers can retrieve the gMSA's managed password and use it.

This step is crucial before creating the gMSA.

Create the Security Group

  1. Open Active Directory Users and Computers (ADUC) on a Domain Controller.

    1. You can also perform this on the dsRequester server, provided the necessary features are installed as specified in the prerequisites.

  2. Right-click the desired OU, select New > Group, and name it (e.g., gMSA-GYTPOL-Servers).

  3. Set the group type to Security and click OK.

  4. Enter the computer accounts that should have access to the gMSA under the Members tab.

    1. Usually, this will include only the dsRequester server.

Create the gMSA

  1. Identify the name of the gMSA you want to create. For example, gytGMSA.

  2. Determine the group or computer accounts that will have access to use this gMSA.

  3. Open PowerShell as an Administrator on a Domain Controller.

    1. You can also perform this on the dsRequester server, provided the necessary features are installed as specified in the prerequisites.

  4. Run the following command to create the gMSA:

New-ADServiceAccount -Name "gytGMSA" -DNSHostName "domain.com" -PrincipalsAllowedToRetrieveManagedPassword "GroupName"

  • Replace gytGMSA with your desired gMSA name.

  • Replace domain.com with your domain name.

  • Replace GroupName with the name of the group you created (e.g., gMSA-GYTPOL-Servers).

    • The PrincipalsAllowedToRetrieveManagedPassword parameter ensures that only members of the specified group can access the gMSA's credentials. This adds a layer of security and limits access to specific computers or services.

Verify the creation of the gMSA account with:

Get-ADServiceAccount "gytGMSA"

Install the gMSA on the GYTPOL Server

  1. Log in to the GYTPOL dsRequester server.

  2. Open PowerShell as an Administrator.

  3. Install the gMSA using:

    Install-ADServiceAccount -Identity "gytGMSA"

  4. Test the gMSA installation:

    Test-ADServiceAccount "gytGMSA"

A True result indicates that the account is ready to use.

Use the gMSA for Local Administrators and Batch Privileges

Granting gMSA Local Administrator Privileges

  1. Add the gMSA to the local Administrators group using Powershell as Administrator. Replace Domain\gytGMSA$ with the gMSA's name and domain.

    Add-LocalGroupMember -Group "Administrators" -Member "Domain\gytGMSA$"

The $ is required at the end of the gMSA name.

Adding the gMSA to "Log on as a Batch Job" Policy

The "Log on as a batch job" privilege allows the gMSA to execute tasks such as scheduled tasks or batch processes. Here's how to grant this privilege:

Open Local Security Policy

  1. Log in to the target machine as an administrator.

  2. Press Win + R, type secpol.msc, and press Enter to open the Local Security Policy console.

Locate the Policy

  1. In the left pane, navigate to: Security Settings > Local Policies > User Rights Assignment

  2. In the right pane, double-click Log on as a batch job.

Add the gMSA

  1. In the Properties window, click Add User or Group.

  2. In the dialog box, click Advanced, then click Find Now.

  3. Search for the gMSA account. The account will appear as Domain\MyGMSA$.

  4. Select the gMSA and click OK.

Apply and Close

  1. Click Apply and then OK to save the changes.

  2. Close the Local Security Policy console.

Domain Permissions:

  1. Add the gMSA to the "Performance Log Users" group in the domain.

Reconfigure GYTPOL Tasks to use the gMSA

Update Scheduled Tasks:

Modify all gytpolServer scheduled tasks (3 in total) to run under the gMSA.

image-20250117-160308.png

Follow these steps to use the script (be sure to modify the gMSA name as needed):

  1. Open PowerShell ISE as an Administrator.

  2. Copy and paste the script into the editor.

  3. Run the script and verify the results.

# Define the gMSA Name (Hardcoded)
$gMSAName = "gytgMSA$" # Include the $ suffix for the gMSA

# Set the Run Level
$runLevel = "Highest" # Options: Highest, Limited, etc.

# Array of Task Names
$taskNames = @("gytpolServer", "gytpolServerDaily", "gytpolServerWeekly")

# Loop through each task and update the principal
foreach ($taskName in $taskNames) {
    # Create the Scheduled Task Principal
    $principal = New-ScheduledTaskPrincipal -UserID $gMSAName -LogonType Password -RunLevel $runLevel

    # Update the Scheduled Task with the new Principal
    Set-ScheduledTask -TaskName $taskName -Principal $principal

    Write-Host "Updated task: $taskName with gMSA: $gMSAName"
}

After the script runs successfully, the following output should appear on your screen:

image-20250127-135748.png

Manually execute the tasks by right-clicking on them and selecting Run.

Verify that they remain in the "Running" status and do not terminate immediately.

image-20250127-140016.png

  • No labels