Just out of Curiosity also I couldn't find the answers to this anywhere, I am learning AD LDAP and came across a scenario for using non interactive service account for binding LDAP. I am not able to understand the uses of of these account types. Any help/explanation is deeply appreciated!
We've got a service running using a Group Managed Service Account on a Windows Server 2016 host (HostA).
We're extending the functionality of this service so that it runs an R script which needs to access a file share \\HostB\Data on another Windows Server 2016 server. This is running third party R code - so it's not something we can easily change.
We've granted access to the gMSA using normal File and Storage Services - and restarted both servers just in case something was caching permissions.
However, the R call called by the gMSA to list.files on the HostB shared folder fails with a "file not found" error.
The same R code runs fine on my user account which has similarly configured share permissions.
Is there anything else I need to configure on the server which is sharing the folder? e.g. does the gMSA need login permission on that host? Or does that host need to be able to retrieve the password for the gMSA?
We have RODC in a DMZ site and we would like to use GMSA, but the problem is that since domain controllers are read-only, it seems that I have to set a password at the creation of a new account such as:
New-ADServiceAccount -name STEST01_gmsa -DNSHostName STEST01_gmsa.mydomain.local -AccountPassword (ConvertTo-SecureString -AsPlainText "MyPassword" -Force) -Enabled $true -PrincipalsAllowedToRetrieveManagedPassword MyGROUP_TEST01_GMSA
The problem is that I've already a lot different ways and none of them worked. This last command returns the following error:
New-ADServiceAccount : Parameter set cannot be resolved using the specified named parameters. At line:1 char:1
- New-ADServiceAccount -name STEST01_gmsa -PrincipalsAllowedToRetrieveM ...
+ CategoryInfo : InvalidArgument: (:) [New-ADServiceAccount], ParameterBindingException + FullyQualifiedErrorId :AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount
Please help figure out what's missing here.
I had a problem where newly created Managed Service Accounts did not have "Logon as a service" right. A GPO was excluding "NT SERVICE\ALL SERVICES" from "Logon as a service". This was fixed.
Am I right in thinking that Install-ADServiceAccount adds the MSA account to "NT SERVICE\ALL SERVICES"?
The service I'm implementing will run on a domain controller, so I'd like it to have minimal privileges. Ideally, it would simply run as Local Service. However, it needs to be able to:
- monitor performance counters (be a member of Performance Monitor Users)
- manage performance counters, logs and alerts (be a member of Performance Log Users)
- read event logs (be a member of Event Log Readers)
Adding Local Service to these groups is obviously not an good approach. Running the service as the Virtual Service Account generated for it will allow it to access the network with the computer's identity which is also undesirable. So I'd like to run it as Local Service with non-zero SID type, thereby passing onto it privileges given to the VSA.
I'm having trouble adding the service's VSA to the groups stated above. I suspect it is because the VSA is local (and exists only within the domain controller), while the groups are domain groups. Is it possible?
Group Managed Service Accounts may prove to be useful (replacing the VSA), be they need to be created manually.
What's the correct approach to set up a service to run with only the specified permissions, while the deployment has no prerequisites (no GMSA creation)?
Answers specific to specified groups are also welcome.