gMSA and Read Only Domain Controllers

The ITea Guy

5/15/24, 3:18 PM

Windows Server 2019 Environment

I have 2 writable DCs and 1 RODC out in a DMZ that will all need to use a gMSA for some software we are deploying. This is my first time ever making use of gMSAs / MSAs, and while everything went well for creation and deployment on my writable DCs, the RODC threw an error:

'''Install-ADServiceAccount : Cannot install service account. Error Message: '{Access Denied} A process has requested access to an object, but has not been granted those access rights.'.'''

Building off of an earlier thread here: Group Managed Service Accounts (GMSA) and Read-Only Domain Controllers (RODC)

I found some documentation that seems to indicate that you can't quite do this the same on the RODC, but I am confused on how to proceed. At first it sounds like I will need to go to the RODC and create a regular MSA with what I assume is the same account name as the gMSA I've already set up. Some other leads, however, make me think it might be an issue with the flag "PrincipalsAllowedToRetrieveManagedPassword". During the creation of the gMSA on my PDC emulator, I set the flag as "-PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers" ". Should it have instead been set as "-PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers", "Read-Only Domain Controllers"? Certainly when I check "Members of" tab on the RODC computer account, it is not listed as member of "Domain Controllers" like the writable two. Is this idea on the right track? If so, how does one edit the existing gMSA to allow the RODC to grab its password?

Given that the point of the RODC is that it does not cache passwords I suspect I'm not on the right track, and that a local-only, stand-alone account with the same name (because the software manager has dictated the name to me) will have to be used. Is this actually the case? If so, does it matter if a gMSA of "NAME X" and a local MSA of "NAME X" have the same name but differing machine-generated passwords?

New ground and I am a bit uncertain how to pull apart the information I have available, unfortunately.

377

1 + 0

active-directory

managed-service-accounts

windows-server-2019

Score:1

Server

The ITea Guy

5/15/24, 7:35 PM

The solution appears to be to add the "Read-only Domain Controller" group to the approved password-grabbling list: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts

I attempted this with the command Set-ADServiceAccount -Identity myServiceAccountName -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers","Read-only Domain Controllers".

Once I did this I was able to install the service on the DMZ-bound RODC without issue.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: gMSA and Read Only Domain Controllers

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.