1

We have RODC in a DMZ site and we would like to use GMSA, but the problem is that since domain controllers are read-only, it seems that I have to set a password at the creation of a new account such as:

New-ADServiceAccount -name STEST01_gmsa -DNSHostName STEST01_gmsa.mydomain.local -AccountPassword (ConvertTo-SecureString -AsPlainText "MyPassword" -Force) -Enabled $true -PrincipalsAllowedToRetrieveManagedPassword MyGROUP_TEST01_GMSA

The problem is that I've already a lot different ways and none of them worked. This last command returns the following error:

New-ADServiceAccount : Parameter set cannot be resolved using the specified named parameters. At line:1 char:1

  • New-ADServiceAccount -name STEST01_gmsa -PrincipalsAllowedToRetrieveM ...
  •   + CategoryInfo          : InvalidArgument: (:) [New-ADServiceAccount], ParameterBindingException
  + FullyQualifiedErrorId :

AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

Please help figure out what's missing here.

1 Answers1

1

The "AccountPassword" attribute is ignored for gMSAs, it can be used for standard MSAs in scenarios like you describe where there is no writable access to a domain controller.

Quoting Microsoft docs: "In this case you should create the standalone MSA, link it with the appropriate computer account and assign a well-known password that needs to be passed when installing the standalone MSA on the server on the RODC-only site with no access to writable DCs."

https://docs.microsoft.com/en-us/powershell/module/activedirectory/install-adserviceaccount?view=winserver2012-ps#parameters

Stu
  • 26
  • 4