Monday, 23 September 2024

Looking up gMSA accounts in Active Directory

A short article with tips how you can find gMSA accounts in Active Directory or AD. First off, import the module ActiveDirectory. Then you can run the following snippet to find some gMsa accounts of which you know part of the name of. 


Import-Module ActiveDirectory
Get-ADObject -Filter {ObjectClass -eq "msDS-GroupManagedServiceAccount"  -and Name -Like '*SomeGmsa*' }  -Properties DistinguishedName,  SamAccountName | Select DistinguishedName, SamAccountName
This yields the results: 


DistinguishedName                                                   SamAccountName  
-----------------                                                   --------------  
CN=gMSA1DVSomeGmsa,CN=Managed Service Accounts,DC=someacme,DC=org        MSA1DVSomeAcmeP$    
CN=gMSA1_gMSA1DGmsaPT,CN=Managed Service Accounts,DC=someacme,DC=org     MSA1gMSA1DVSomeAcme$
CN=gMSA1_DVSomeGmsaPT,CN=Managed Service Accounts,DC=someacme,DC=org     MSA1DVSomeAcmePT$
You can search for gMSA users in AD like this: 


Import-Module ActiveDirectory 

Get-ADServiceAccount -Filter "Name -like '*SomeGmsa*'"
This should yield a list of matching gMSA users with given name :

You can also ask for all properties of Gmsa users using -Properties with * : 



Import-Module ActiveDirectory
Get-ADObject -Filter {ObjectClass -eq "msDS-GroupManagedServiceAccount"  -and Name -Like '*SomeGmsa*' }  -Properties *


Please note that your server should also install the gMsa account where it shall be used ! And to use the module ActiveDirectory, the Windows feature must be installed. From Powershell admin console you can run: 


# Remember to install the RSAT-AD-Powershell module 

Add-WindowsFeature RSAT-AD-PowerShell

Install-ADServiceAccount SomeGmsa$


Import-Module ActiveDirectory
Get-ADObject -Filter {ObjectClass -eq "msDS-GroupManagedServiceAccount"  -and Name -Like '*SomeGmsa*' }  -Properties DistinguishedName,  SamAccountName | Select DistinguishedName, SamAccountName
Note that you gMsa user has a SamAccountName which is suffixed by '$'. This can be set up in IIS for you application as the app pool identity. The username will be in this example: 


MYDOMAIN\SomeGmsa$
The password of the gMSa service account will actually be empty ! Instead, the service account is installed as shown above using the cmd-let Install-AdServiceAccount.
Share this article on LinkedIn.
Lagt inn av kl.
Etiketter: , , , , , ,

1 comment:

  1. kevin13 November 2024 at 02:01

    When looking up gMSA accounts in Active Directory, you can use PowerShell to retrieve all relevant details, including any associated permissions and attributes. If you need to confirm specific identifiers like an is Betting id try querying the account properties for detailed output on linked accounts and services. This method can help ensure your gMSA accounts are correctly configured and secure.

    ReplyDelete

Subscribe to: Post Comments (Atom)