Group Managed Service Accounts - Install-ADServiceAccount returns "Access Denied"

R

Ross Wilper

I am playing around with the Group Managed Service Accounts. I skipped MSA from Windows Server 2008 R2 since the single-computer limitation made it's value fairly low. Anyway, the 2012 RC documentation is still not really there and most is links to 2008R2 documents, so I may be doing this incorrectly.

Before Install-ADServiceAccount (on the local computer)

  • I set up the KDS root key and it has replicated
  • I ran New-ADServiceAccount and Add-ADComputerServiceAccount to create and assign a gMSA
  • User account has FULL CONTROL of the gMSA object (even tried removing accidental deletion protection)

Looking through logs on the DCs, I see:

  • Directory Access successes from the user account I am using - reading the gMSA object
  • No Directory Access failures are recorded - auditing is on for all accesses to the gMSA object
  • Privilege Use failures for the computer account to use seBackupPrivilege

There is nothing in logs on the local machine that I could find and the error message says WriteError: (<gMSA account>:String)

Continue reading...
 
You must log in or register to reply here.

Similar threads

V
Access Denied Error When Resetting Account Operator password with a user given delegated permissions
Replies
0
Views
90
Vic_MC20
V
S
How to get access to disabled admin accounts without knowing the passwords?
Replies
0
Views
152
SuitUp33
S
B
  • Article
Releasing Windows 11 Build 22000.588 to Beta and Release Preview Channels
Replies
0
Views
285
Brandon LeBlanc
B
J
How do I use a Group Managed Service Account with the Task Scheduler
Replies
0
Views
382
J Stangroome
J
B
  • Article
Releasing Windows 10 Build 19044.1618 to Release Preview Channel
Replies
0
Views
336
Brandon LeBlanc
B
Back
Top Bottom