Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 3 Next »

Overview

This guide provides step-by-step instructions for configuring an on-premises GYTPOL dsRequester Server to use a Group Managed Service Account (gMSA).

Follow these guidelines to ensure all GYTPOL components function correctly with the gMSA.

Guidelines

  1. Install GYTPOL dsRequester Server with a regular user account (do not use the gMSA for initial installation).

    1. If the server is yet installed, please refer to this guide to setup and install dsRequester.

  2. Create and install the gMSA account.

  3. Reconfigure key GYTPOL components to use the gMSA account.

Create the gMSA

Run the following PowerShell command to create the gMSA:

New-ADServiceAccount gytgmsa -DNSHostName demosrv1.demo.com -PrincipalsAllowedToRetrieveManagedPassword 'Gytpol Servers' -ManagedPasswordIntervalInDays 1

'Gytpol Servers' refers to a pre-created Active Directory group containing the computer account(s) of the GYTPOL server(s) where the gMSA will be installed.

Verify the creation of the gMSA account with:

Get-ADServiceAccount "gytgmsa"

Install the gMSA on the GYTPOL Server

  1. Log in to the GYTPOL dsRequester Windows server.

  2. Run the following PowerShell command:

    Install-ADServiceAccount -Identity "gytgmsa"

  3. Test the gMSA installation:

    Test-ADServiceAccount "gytgmsa"

Assign Permissions for gMSA

Local Permissions:

  1. Add the gMSA to the local Administrators group on the GYTPOL server.

  2. Grant the "Log on as a batch job" permission on the GYTPOL server.

    1. Open Local Security Policy (Win + R, type secpol.msc).

    2. Go to Security Settings > Local Policies > User Rights Assignment.

    3. Find "Log on as a batch job", right-click, and select Properties.

    4. Click Add User or Group, enter the gMSA, and confirm.

Domain Permissions:

  1. Add the gMSA to the "Performance Log Users" group in the domain.

Reconfigure GYTPOL Components to Use the gMSA

  1. Update Scheduled Tasks:

    • Modify all gytpolServer scheduled tasks to run under the gMSA:

      1. Set the task to use the gMSA username (gytgmsa$) with an empty password.

        image-20250117-160308.png

  2. Execute the tasks manually:

    • Right click and run all three tasks.

    • Monitor the tasks to ensure they are running without failures.

  • No labels