Allow interactive login for group managed service account (gMSA)

user189695

4/14/24, 1:25 PM

I'm trying to troubleshoot an issue with a gMSA and the error is displayed interactively. psexec is blocked by sophos, which is quite a hasle to whitelist (would be the sure way to get an interactive session).

I tried putting the gMSA in all obvious groups. Tried login via rdp, but this gives 'To sign in remotely, you need the right to......'. Tried runas. Pssession works but not interactively. start-process gives "Logon failure: the user has not been granted the requested logon type at this computer.".

Where is a gMSA blocked from logging in interactively? It's not in de deny policy, i tried adding it to interactive login policy. All to no avail. It seems it's hardcoded by Microsoft somewhere.

260

1 + 0

managed-service-accounts

Score:0

Server

user189695

4/14/24, 2:05 PM

To answer my own question : change urserAccountControl in active directory from 0x1000 (WORKSTATION_TRUST_ACCOUNT) to 0x200 (NORMAL_ACCOUNT)

Now it's basically a "normal" account. At least rdp works for me now.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow interactive login for group managed service account (gMSA)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.