Add Additional Computers/Host to Existing gMSA

I need to be able to add additional computers to the existing list of a pre-existing gMSA. Re-running the Set-ADServiceAccount command only replaces the existing list. And running Add-ADComputerServiceAccount doesn’t seem to do anything.

If you have written some code to do this, can you please share it here ?

Sounds like you are trying to add a new principal to retrieve the password. You might try something like this…

$GMSAAccount = Get-ADServiceAccount AccountName -Properties PrincipalsAllowedToRetrieveManagedPassword 
$NewPrincipals = $GMSAAccount.PrincipalsAllowedToRetrieveManagedPassword += 'CN=NewAccountname,OU=SomeOU,DC=domain,DC=local'
Set-ADServiceAccount AccountName -PrincipalsAllowedToRetrieveManagedPassword $NewPrincipals 

You need to show how you are using these, otherwise you just leave it a guessing effort, which is not helpful to you relative to any resolution.

What you are seeing for Set-ADServiceAccount, is by design.
What you say you are seeing with Add-ADComputerServiceAccount is not by design. Of course this cmdlet is explicitly designed to

'Adds one or more service accounts to an Active Directory computer. ' https://docs.microsoft.com/en-us/powershell/module/addsadministration/add-adcomputerserviceaccount?view=win10-ps

So, again, show what you are doing.

Regarding what you posted, if you are passing a collection and you have pass that via a loop using either of this cmdlets, since as per the docs, the are expecting a singular entry.

 $NewPrincipals  | %{Set-ADServiceAccount AccountName -PrincipalsAllowedToRetrieveManagedPassword $_}

How you are passing this in is also not how it is documented.

-------------------------- EXAMPLE 3 --------------------------

PowerShell = Copy
C:\PS>Set-ADServiceAccount service1 -PrincipalsAllowedToRetrieveManagedPassword “MsaAdmins.corp.contoso.com

Description

Sets the principals allowed to retrieve the password for this managed service account to be limited to only members of the specified Active Directory group account.
https://docs.microsoft.com/en-us/powershell/module/activedirectory/set-adserviceaccount?view=winserver2012-ps

The expect a singular entry or a comma separated entry.

Add the service account 'SvcAcct1' to a Computer Account 'ComputerAcct1'

-------------------------- EXAMPLE 2 --------------------------

PowerShell = Copy
C:\PS>Add-ADComputerServiceAccount -Computer ComputerAcct1 -serviceAccount SvcAcct1,SvcAcct2

Description

Add 2 service accounts ‘SvcAcct1,SvcAcct2’ to a Computer Account ‘ComputerAcct1’.

I want to imagine Patrick’s approach of gathering the current list of principals allowed, adding to that list, and then re-running the Set-ADServiceAccount is what’s needed. There is no -Append type of parameter for the Set-ADServiceAccount cmdlet, so you just need to work around that the best you can.