Is there a way to list the current list of all the groups and/or hosts in the PrincipalsAllowedToRetrieveManagedPassword property of a gMSA (group Managed Service Account)?
There isn't any help on the "Getting Started" page, what is more their examples are returning errors and are not very clear.
It turns out that you can list all the properties for gMSA by running:
And if you want to narrow down the list you can use:
It's not very readable, since it's a list of distinguished names and has several other properties listed, but it's a useful command.
Update: to show all the entries from this properties you can use this command, which is shorter and easier to handle that what @Gregory posted
You can select specific property, instead of the wildcard *, to decrease the data flowing over the network, but the line becomes prohibitively long due to the verbose name of the property.
If the list of Principals includes an ellipsis (…), then you will need a foreach loop to get the full list:
Get-ADServiceAccount -Identity <gMSA-account> -Properties PrincipalsAllowedToRetrieveManagedPassword | select PrincipalsAllowedToRetrieveManagedPassword | ForEach-Object { $_.PrincipalsAllowedToRetrieveManagedPassword }