Skip to Content


?

MSA

Check and Verify Key Distribution Service (KDS) Root Key


Get-KdsRootKey


Test-KdsRootKey -KeyId (Get-KdsRootKey).KeyId



Create KDS Key


Add-KdsRootKey –EffectiveImmediately


Key will be created and becomes available in 10 hours after the AD replication is over


KDS root keys are stored in Active Directory in container CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=<forest name>. They have an attribute msKds-DomainID that links to the computer account of the Domain Controller that created the object. When this domain controller is demoted and removed from the domain, the value will refer to the tombstone of the computer account. You can ignore the broken value as it is only used to help the administrator track the object when it's freshly created. You may also change the attribute value and point it to the computer object of another domain controller in your forest.




Create Managed Service Account


New-ADServiceAccount -Name msaAADC -RestrictToSingleComputer


$Identity = Get-ADComputer -identity AADC

Add-ADComputerServiceAccount -Identity $identity -ServiceAccount msaAADC


Get-ADServiceAccount msaAADC



Create Group Managed Service Account


Create a Global Group called "GG gmsaAADC" and add server(s) to it


New-ADServiceAccount -name gmsaAADC -DNSHostName gmsaAADC.azhartech.com -PrincipalsAllowedToRetrieveManagedPassword "GG gmsaAADC" -verbose


Get-ADServiceAccount gmsaAADC


Install Managed Service Account on Windows


Add-WindowsFeature RSAT-AD-PowerShell


Install-ADServiceAccount -Identity msaAADC


Test-ADServiceAccount msaAADC


Install Group Managed Service Account on Windows (Restart Windows)


Install-ADServiceAccount -Identity gmsaAADC


Test-ADServiceAccount gmsaAADC


Configure Managed Service Account to run a service on Windows


Open secpol.msc, Security Settings, Local Policies, User Rights Assignment, Log on as a service, Add Managed Service Account and reboot

Open the desired service and configure Managed Service Account (azhartech\msaAADC$) with out entering password and restart the service


Configure Group Managed Service Account to run a service on Windows


Open secpol.msc, Security Settings, Local Policies, User Rights Assignment, Log on as a service, Add Group Managed Service Account and reboot

Open the desired service and configure Group Managed Service Account (azhartech\gmsaAADC$) with out entering password and restart the service


Configure Managed Service Account to run a Scheduled Task on Windows


Open secpol.msc, Security Settings, Local Policies, User Rights Assignment, Log on as a batch job, Add Managed Service Account and reboot

Also add Managed Service Account to appropriate groups based on requirements such as Domain Admins, Local Administrators or Local Backup Operators

Configure Scheduled Task with a temporary account and follow the below steps to add Managed Service Account with powershell


Configure Group Managed Service Account to run a Scheduled Task on Windows


Open secpol.msc, Security Settings, Local Policies, User Rights Assignment, Log on as a batch job, Add Group Managed Service Account and reboot

Also add Group Managed Service Account to appropriate groups based on requirements such as Domain Admins, Local Administrators or Local Backup Operators

Configure Scheduled Task with a temporary account and follow the below steps to add Group Managed Service Account with powershell


Modifying an existing Scheduled Task


Get-ScheduledTask


$principal = New-ScheduledTaskPrincipal -UserId azhartech\msaAADC$ -LogonType Password


Note: "Password" Is the literal word and NOT an actual password. Using Password as the argument for the LogonType parameter instructs the task to retrieve the password from Active Directory


Set-ScheduledTask -TaskName <TaskName> -Principal $principal



Operations

__________



Get-ADServiceAccount -Filter *


Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword


Get-ADServiceAccount -Filter * -Properties memberof


Remove an Active Directory managed service account or group managed service account object


Add-WindowsFeature RSAT-AD-PowerShell


Remove-ADServiceAccount -Identity msaAADC


Example

_______


<<<>>>

Group

ITSMDI


GMSA

itsmdidsa



New-ADServiceAccount -name itsmdidsa -DNSHostName itsmdidsa.sudomain.server -PrincipalsAllowedToRetrieveManagedPassword "ITSMDI" –Description "Microsoft Defender for Identity group managed service account" –ManagedPasswordIntervalInDays 20 –KerberosEncryptionType AES256 -verbose


Get-ADServiceAccount itsmdidsa -Properties * | fl DNSHostName, SamAccountName, KerberosEncryptionType, ManagedPasswordIntervalInDays, PrincipalsAllowedToRetrieveManagedPassword, ManagedPasswordIntervalInDays, memberof


<<<>>>


LAPS


Update the Windows Server Active Directory schema


Update-LapsADSchema



Grant the managed device permission to update its password


Set-LapsADComputerSelfPermission -Identity "OU=laps,DC=domain,DC=com"



Query extended rights permissions


Find-LapsADExtendedRights -Identity "OU=laps,DC=domain,DC=com"



Configure GPO


Apply GPO to OU


?