Problems creating a Group Managed Service Account

[Mike Leone]

Looking for some guidance here, I'm sure it's something simple I am overlooking.

I am creating 2 gMSAs, going to use them to run SQL Server and SQL Server Agent. So I created a group, added the 2 computers where these accounts will run: 

(I really only plan on running them on 1 computer, but that computer replaces an older one, so I added both the older and newer computer objects)

PS O:\> Get-ADGroup -Identity EliteDevDBHosts

DistinguishedName : CN=EliteDevDBHosts,OU=Servers,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
GroupCategory     : Security
GroupScope        : Global
Name              : EliteDevDBHosts
ObjectClass       : group
ObjectGUID        : d67eb9fb-cd8d-42d4-9801-2792b2c2e703
SamAccountName    : EliteDevDBHosts
SID               : S-1-5-21-173682997-1056865346-324618207-52310


PS O:\> Get-ADGroupMember -Identity EliteDevDBHosts

distinguishedName : CN=DCTRDEV035,OU=Servers,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
name              : DCTRDEV035
objectClass       : computer
objectGUID        : 9c115241-b41a-4ac9-9457-8e097e1edddd
SamAccountName    : DCTRDEV035$
SID               : S-1-5-21-173682997-1056865346-324618207-38071

distinguishedName : CN=DC2DDB008,OU=Servers,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
name              : DC2DDB008
objectClass       : computer
objectGUID        : e41bd52b-dd5d-453c-b6dd-47c6ca6af965
SamAccountName    : DC2DDB008$
SID               : S-1-5-21-173682997-1056865346-324618207-48658

Then I create the 2 service accounts, and use the above group as the hosts that can manage the password:

PS O:\> New-ADServiceAccount EliteDev_SQLSvc -DNSHostname EliteDEV_SQLSvc.wrk.ads.pha.phila.gov -PrincipalsAllowedToDelegateToAccount EliteDevDBHosts -ManagedPasswordIntervalInDays 30
PS O:\> New-ADServiceAccount EliteDev_AgtSvc -DNSHostname EliteDEV_AgtSvc.wrk.ads.pha.phila.gov -PrincipalsAllowedToDelegateToAccount EliteDevDBHosts -ManagedPasswordIntervalInDays 30

PS O:\> Get-ADServiceAccount EliteDev_SQLSvc                                       

DistinguishedName : CN=EliteDev_SQLSvc,CN=Managed Service Accounts,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov                                                              Enabled           : True
Name              : EliteDev_SQLSvc
ObjectClass       : msDS-GroupManagedServiceAccount
ObjectGUID        : 7cc8aca2-d8b7-4813-84f3-9968f553806c
SamAccountName    : EliteDev_SQLSvc$
SID               : S-1-5-21-173682997-1056865346-324618207-52311
UserPrincipalName :

PS O:\> Get-ADServiceAccount EliteDev_AgtSvc                                                                                                                        DistinguishedName : CN=EliteDev_AgtSvc,CN=Managed Service Accounts,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov                                                              Enabled           : True
Name              : EliteDev_AgtSvc
ObjectClass       : msDS-GroupManagedServiceAccount
ObjectGUID        : 3067b8cd-2ed7-4241-8a85-d6a7265f52dc
SamAccountName    : EliteDev_AgtSvc$
SID               : S-1-5-21-173682997-1056865346-324618207-52312
UserPrincipalName :

So then, I go over to the host where they will run (DC2DDB008) and try and install them. And no go ..

PS D:\> import-module ActiveDirectory
PS D:\> Install-ADServiceAccount -Identity "EliteDev_SQLSvc"
Install-ADServiceAccount : Cannot install service account. Error Message: '{Access Denied}
A process has requested access to an object, but has not been granted those access rights.'.
At line:1 char:1
+ Install-ADServiceAccount -Identity "EliteDev_SQLSvc"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (EliteDev_SQLSvc:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
   irectory.Management.Commands.InstallADServiceAccount

What's odd is that I don't see the group name in the properties of the service account:

PS D:\> Get-ADServiceAccount -Identity "EliteDev_SQLSvc" -Properties PrincipalsAllowedToRetrieveManagedPassword

DistinguishedName                          : CN=EliteDev_SQLSvc,CN=Managed Service
                                             Accounts,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
Enabled                                    : True
Name                                       : EliteDev_SQLSvc
ObjectClass                                : msDS-GroupManagedServiceAccount
ObjectGUID                                 : 7cc8aca2-d8b7-4813-84f3-9968f553806c
PrincipalsAllowedToRetrieveManagedPassword : {}
SamAccountName                             : EliteDev_SQLSvc$
SID                                        : S-1-5-21-173682997-1056865346-324618207-52311
UserPrincipalName                          :

And yet I do see a group name on other, working service accounts:

PS Z:\> Get-ADServiceAccount -Identity "PSSQL20_SQL_Svc" -Properties PrincipalsAllowedToRetrieveManagedPassword


DistinguishedName                          : CN=PSSQL20_SQL_Svc,CN=Managed Service
                                             Accounts,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
Enabled                                    : True
Name                                       : PSSQL20_SQL_Svc
ObjectClass                                : msDS-GroupManagedServiceAccount
ObjectGUID                                 : bed5f471-3e67-4d65-8492-1fa1d88caf7e
PrincipalsAllowedToRetrieveManagedPassword : {CN=PSSQL20_C_Hosts,OU=Servers,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov}
SamAccountName                             : PSSQL20_SQL_Svc$
SID                                        : S-1-5-21-173682997-1056865346-324618207-49794
UserPrincipalName                          :

PS Z:\> get-adgroupmember -Identity pssql20_C_Hosts

distinguishedName : CN=DC1HCMD01,OU=Servers,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
name              : DC1HCMD01
objectClass       : computer
objectGUID        : c03393ba-aef2-4878-a02e-05d8eb5a2abb
SamAccountName    : DC1HCMD01$
SID               : S-1-5-21-173682997-1056865346-324618207-47871

distinguishedName : CN=DC1HCMD02,OU=Servers,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov
name              : DC1HCMD02
objectClass       : computer
objectGUID        : 1e65f48b-f833-433e-8345-ea1300c9d408
SamAccountName    : DC1HCMD02$
SID               : S-1-5-21-173682997-1056865346-324618207-48540

So why is my group of hosts not being set to manage this service account password?

I thought maybe it was some silly thing like the sAMAccountName being too long, but I counted, it's 15 characters, the allowed max size.

Google Ai says:

Common Causes and Solutions:

• Missing or Incorrect PrincipalsAllowedToRetrieveManagedPassword:
• Problem: The computer account (e.g., Server1$) or a security group containing it, is not specified in the PrincipalsAllowedToRetrieveManagedPassword attribute of the gMSA.
• But that's not the case here. I mean, I can try adding just the 1 computer account, instead of a group, to be  PrincipalsAllowedToRetrieveManagedPassword. But I'd really like to know what I did wrong ...

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Wright, John M]

Have you restarted DC2DDB008 since you set up everything else?  Might need that to update group membership.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Wednesday, September 10, 2025 2:59 PM
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Problems creating a Group Managed Service Account

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bhob-tzvjWANF6j-NjNZSZzPwa9DVKQGoFFmOBgXc8T-g%40mail.gmail.com.

[Mike Leone]

On Wed, Sep 10, 2025 at 3:30 PM Wright, John M <John....@newvista.org> wrote:

Have you restarted DC2DDB008 since you set up everything else?  Might need that to update group membership.

I did. It didn't help.

I did end up resolving it, the scorched earth way .. I removed the service account, and re-0created from scratch. This time, it worked, I see the group name in the PrincipalsAllowedToRetrieveManagedPassword.

I have a horrible sneaking feeling I did something incredibly brain dead stupid the first time, such as use PrincipalsAllowedToDelegateToAccount instead of the above,. But I tried to set it afterwards, and it didn't seem to take.

Anyway, I was able to Install-ADServiceAccount on the host I want to use it, so I guess I am good to go.

Sorry for the inconvenience.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SN7PR12MB67140ACEE569D495580F3015910EA%40SN7PR12MB6714.namprd12.prod.outlook.com.