Service Account
1. It is a user account
2. It provide permission to services
3. It requires DotNet Framework 3.5 Features
4. Only PowerShell with active directory module can create service account
5. The domain administrator or account operators permission is require in creation of service account
6. We need to add service account to local administrator group

Group managed service accounts (gMSA)
1. It supports on Windows Server 2012 or later
2. 64-bit architecture is required
3. It can run over multiple servers
4. The master root key is required
5. The Security group is used for maintain the managing member hosts

How to install Active Directory module
1. Open “PowerShell” with administrator right
2. Install-WindowsFeature RSAT-AD-PowerShell

How to install DotNet Framework 3.5 Features
1. Insert Windows Installation Disc
2. Using Dism.exe to install, in this example CD-ROM is D:
Dism.exe /online /enable-feature /featurename:NetFX3 /All /Source:D:\sources\sxs /LimitAccess

How to add gMSA into local administrator group
1. Open “Command Prompt” with administrator right
2. net localgroup Administrators <Domain Name>/<gMSA Name> /add

How to create the Key Distribution Services Root Key
1. After we create KDS root key, it need time to replicate to all DC
2. Domain Administrators/Enterprise Administrators permission is required to create KDS root key

# It need to wait 10 hours before creating gMSA
Add-KdsRootKey -EffectiveImmediately
#or
# It can create gMSA without waiting for 10 hours
# It does not recommend in production environment
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

How to verify KDS Root Key

Get-KdsRootKey

How to view KDS Root Key Configuration

Get-KdsConfiguration

How to create gMSA and assign to security group
1. Open “PowerShell” with domain administrator or account operator right

#Create a sMSA named "gMSA1" with description "gMSA for Cluster01"
#DNSHostName is DNS host name of the Service Account
#Security Group = Cluster
New-ADServiceAccount -Name gMSA1 `
-Description “gMSA for Cluster01” `
-DNSHostName Cluster01.joeschoice.com `
-PrincipalsAllowedToRetrieveManagedPassword Cluster `
-Enabled $True

How to create gMSA and assign to PC

#Create a gMSA named "gMSA2" with description "gMSA for DB02"
#DNSHostName is DNS host name of the Service Account
#This gMSA uses at DB02
#If the gMSA will uses on 2 or more PC, using a comma to separate different hostname
#Example: -PrincipalsAllowedToRetrieveManagedPassword PC1$, PC2$"
New-ADServiceAccount -Name gMSA2 `
-Description “gMSA for DB02” `
-DNSHostName DB02.joeschoice.com `
-PrincipalsAllowedToRetrieveManagedPassword DB02$ `
-Enabled $True

How to verify gMSA

Get-ADServiceAccount gMSA1
Get-ADServiceAccount gMSA2

Install gMSA on local computer

#Runing on DB01.joeschoice.com to install gMSA1
Install-ADServiceAccount -Identity gMSA1

#Runing on DB02.joeschoice.com to install gMSA2
Install-ADServiceAccount -Identity gMSA2

Verify gMSA on local computer

#Runing on DB01.joeschoice.com to install gMSA1
Test-ADServiceAccount gMSA1

#Runing on DB02.joeschoice.com to install gMSA2
Test-ADServiceAccount gMSA2

Uninstall gMSA on local computer

#Runing on DB01.joeschoice.com to uninstall gMSA1
Uninstall-ADServiceAccount -Identity gMSA1

#Runing on DB02.joeschoice.com to uninstall gMSA2
Uninstall-ADServiceAccount -Identity gMSA2

How to delete gMSA

#Runing on AD01.joeschoice.com to remove gMSA1
Remove-ADServiceAccount -Identity gMSA1

#Runing on AD01.joeschoice.com to remove gMSA2
Remove-ADServiceAccount -Identity gMSA2

Assign gMSA to specify services
1. Press “Windows” + “R” key to open Run Command Box
2. Enter “services.msc” to open Services snap-in console
3. Right-click service -> “Properties”
4. Select “Log On” tab -> Click “This account” -> Enter “joeschoice\gMSA1$”
5. “Password” must be blank -> Click “OK”
6. Click “Restart the service” to restart service

After change account, Sometime “Log On” tab will become grey.
We will unable to change account.
We can try “sc managedaccount <service name> false” to solve this problem.

Assign gMSA to MS SQL
1. Press “Windows” + “R” key to open Run Command Box
2. Enter “services.msc” to open “Services” snap-in console

3. Right-click “SQL Server (MSSQLSERVER)” ->”Properties”
4. Select “Log On” tab -> Click “This account” -> Enter “joeschoice\gMSA1$”
5. Select “General” tab -> Select “Automatic (Delayed Start)” in “Startup type:”
6. “Password” must be blank -> Click “OK”
7. Click “Restart the service” to restart service

8. Right-click “SQL Server Agent (MSSQLSERVER)” ->”Properties”
9. Select “Log On” tab -> Click “This account” -> Enter “joeschoice\gMSA1$”
10. Select “General” tab -> Select “Automatic (Delayed Start)” in “Startup type:”
11. “Password” must be blank -> Click “OK”
12. Click “Restart the service” to restart service

13. Press “Windows” + “R” key to open Run Command Box
14. Enter “secpol.msc” to open “Local Security Policy” snap-in console
15. Expend “Local Policies” -> Select “User Rights Assignment”
16. Grant “joeschoice\gMSA1$” the following permission:  “Log on as a service“, “Replace a process-level token“, “Bypass traverse checking” & “Adjust memory quotas for a process”

Assign gMSA to IIS
1. Press “Windows” + “R” key to open Run Command Box
2. Enter “Inetmgr.msc” to open IIS Manager
3. Double-click <IIS Server Name> -> double-click “Application Pools”
4. right-click <Pool Name> -> Click “Advanced Settings”
5. Click “…” in “Identity” -> Click “Custom Account” -> Click “Set”
6. Enter “joeschoice\gMSA1$”
7. Click “Stop” under “Application Pool Tasks” -> Click “Start”