Problems installing AD Service Acct
Mike Leone
I need to create 2 GMSAs to use for SQL Server (1 for SQL, 1 for the SQL Agent). So I create a group in AD, and I stick the computer account I plan to use the service accounts into it:
> Get-ADGroup -Identity "DDB009_DB_Hosts"
DistinguishedName : CN=DDB009_DB_Hosts,OU=Servers,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
GroupCategory : Security
GroupScope : Global
Name : DDB009_DB_Hosts
ObjectClass : group
ObjectGUID : 96f1d96d-0a21-4037-966a-637c3ce34d4d
SamAccountName : DDB009_DB_Hosts
SID : S-1-5-21-173682997-1056865346-324618207-53797
> Add-ADGroupMember -Identity "DDB009_DB_Hosts" -Members "DC2DDB009$"
So then I create the 2 service accounts and use that group name as the hosts allowed to manage the password:
> New-ADServiceAccount DDB009_SQL_Svc -DNSHostName DDB009_SQL_Svc.wrk.ads.pha.phila.gov -PrincipalsAllowedToRetrieveManagedPassword DDB009_DB_Hosts -ManagedPasswordIntervalInDays 30
> New-ADServiceAccount DDB009_AgtSvc -DNSHostName DDB009_AgtSvc.wrk.ads.pha.phila.gov -PrincipalsAllowedToRetrieveManagedPassword DDB009_DB_Hosts -ManagedPasswordIntervalInDays 30
I go over to that host (DC2DDB009), log in with the same AD account I used to create the service accounts with, and try to install the service account. First I check that I can access the acct:
> Get-ADServiceAccount -Identity "DDB009_SQL_Svc"
DistinguishedName : CN=DDB009_SQL_Svc,CN=Managed Service Accounts,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
Enabled : True
Name : DDB009_SQL_Svc
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 5ac967f2-24ce-40fb-a2ad-551aa1e62803
SamAccountName : DDB009_SQL_Svc$
SID : S-1-5-21-173682997-1056865346-324618207-65544
UserPrincipalName :
and it fails ...
> Install-ADServiceAccount -Identity "DDB009_SQL_Svc"
Install-ADServiceAccount : Cannot install service account. Error Message: '{Access Denied}
A process has requested access to an object, but has not been granted those access rights.'.
At line:1 char:1
+ Install-ADServiceAccount -Identity "DDB009_SQL_Svc"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (DDB009_SQL_Svc:String) [Install-ADServiceAccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
irectory.Management.Commands.InstallADServiceAccount
And I don't know why ... This is the first time I am trying this on Win 2025, but I've done it 3 or 4 times on Win 2022, this exact same way ...
--
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Michael Leone
> Install-ADServiceAccount -Identity "DDB009_AgtSvc"
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgL5Nm7cj9cH_TOyEm44P2Sn4uPVkHU01%3DG7sVBLLBVCw%40mail.gmail.com.
Wright, John M
I assume the command is being run as administrator. Is the server listed in the PrincipalsAllowedToRetrieveManagedPassword parameter of the gMSA?
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Friday, May 8, 2026 3:24 PM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>; NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntpowershell] Problems installing AD Service Acct
|
EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity. |
|
Secured by Check Point |
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntpowershell...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BgL5Nm7cj9cH_TOyEm44P2Sn4uPVkHU01%3DG7sVBLLBVCw%40mail.gmail.com.
Wright, John M
Sorry. I just reread your email. Let me think a bit more and come up with something else.
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
Wright, John M
Okay, how about this? Is RC4 disabled? If so, you might need:
Set-ADServiceAccount -Identity <AccountName> -KerberosEncryptionType AES256
Wright, John M
Glad it’s sorted. 😊
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael Leone
Sent: Friday, May 8, 2026 3:31 PM
To: ntsys...@googlegroups.com
Cc: NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: Re: [ntsysadmin] Problems installing AD Service Acct
|
EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity. |
|
Secured by Check Point |
DUH. Yes, I'm an idiot. I added the computer account to the group, but hadn't refreshed its group membership yet. Once I did
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BZrOWy%3DtbmmAxdzqiCV2SLA9fbF54z%3D2Qn7Z-rMJXV_rtGa7A%40mail.gmail.com.
Michael Leone
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SN7PR12MB671409A79D90F26D900BF406913D2%40SN7PR12MB6714.namprd12.prod.outlook.com.
Philip Elder
Question, because I have an OCD twinge. Is the underscore missing or intentionally missing?
Nothing serious … just you know, OCD. 😉
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@MPECSInc.Ca
Phone: +1 (780) 458-2028
Web: www.MPECSInc.Com
Blog: Blog.MPECSInc.Com
Twitter: Twitter.com/MPECSInc
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Michael Leone
Sent: Friday, May 8, 2026 13:31
To: ntsys...@googlegroups.com
Cc: NTPowershell Mailing List <ntpowe...@googlegroups.com>
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BZrOWy%3DtbmmAxdzqiCV2SLA9fbF54z%3D2Qn7Z-rMJXV_rtGa7A%40mail.gmail.com.
Mike Leone
Question, because I have an OCD twinge. Is the underscore missing or intentionally missing?
Nothing serious … just you know, OCD. 😉
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/89e18a4311f747fa9b5d98a3e7561dde%40MPECSInc.Ca.