We have RODC in a DMZ site and we would like to use GMSA, but the problem is that since domain controllers are read-only, it seems that I have to set a password at the creation of a new account such as:
New-ADServiceAccount -name STEST01_gmsa -DNSHostName STEST01_gmsa.mydomain.local -AccountPassword (ConvertTo-SecureString -AsPlainText "MyPassword" -Force) -Enabled $true -PrincipalsAllowedToRetrieveManagedPassword MyGROUP_TEST01_GMSA
The problem is that I've already a lot different ways and none of them worked. This last command returns the following error:
New-ADServiceAccount : Parameter set cannot be resolved using the specified named parameters. At line:1 char:1
- New-ADServiceAccount -name STEST01_gmsa -PrincipalsAllowedToRetrieveM ...
+ CategoryInfo : InvalidArgument: (:) [New-ADServiceAccount], ParameterBindingException + FullyQualifiedErrorId :AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount
Please help figure out what's missing here.
The "AccountPassword" attribute is ignored for gMSAs, it can be used for standard MSAs in scenarios like you describe where there is no writable access to a domain controller.
Quoting Microsoft docs: "In this case you should create the standalone MSA, link it with the appropriate computer account and assign a well-known password that needs to be passed when installing the standalone MSA on the server on the RODC-only site with no access to writable DCs."
https://docs.microsoft.com/en-us/powershell/module/activedirectory/install-adserviceaccount?view=winserver2012-ps#parameters