I need to be able to add additional computers to the existing list of a pre-existing gMSA. Re-running the Set-ADServiceAccount command only replaces the existing list. And running Add-ADComputerServiceAccount doesn’t seem to do anything.
If you have written some code to do this, can you please share it here ?
Sounds like you are trying to add a new principal to retrieve the password. You might try something like this…
$GMSAAccount = Get-ADServiceAccount AccountName -Properties PrincipalsAllowedToRetrieveManagedPassword $NewPrincipals = $GMSAAccount.PrincipalsAllowedToRetrieveManagedPassword += 'CN=NewAccountname,OU=SomeOU,DC=domain,DC=local' Set-ADServiceAccount AccountName -PrincipalsAllowedToRetrieveManagedPassword $NewPrincipals
You need to show how you are using these, otherwise you just leave it a guessing effort, which is not helpful to you relative to any resolution.
What you are seeing for Set-ADServiceAccount, is by design.
What you say you are seeing with Add-ADComputerServiceAccount is not by design. Of course this cmdlet is explicitly designed to
'Adds one or more service accounts to an Active Directory computer. ' https://docs.microsoft.com/en-us/powershell/module/addsadministration/add-adcomputerserviceaccount?view=win10-ps
So, again, show what you are doing.
Regarding what you posted, if you are passing a collection and you have pass that via a loop using either of this cmdlets, since as per the docs, the are expecting a singular entry.
$NewPrincipals | %{Set-ADServiceAccount AccountName -PrincipalsAllowedToRetrieveManagedPassword $_}
How you are passing this in is also not how it is documented.
-------------------------- EXAMPLE 3 --------------------------PowerShell = Copy
C:\PS>Set-ADServiceAccount service1 -PrincipalsAllowedToRetrieveManagedPassword “MsaAdmins.corp.contoso.com”Description
Sets the principals allowed to retrieve the password for this managed service account to be limited to only members of the specified Active Directory group account.
The expect a singular entry or a comma separated entry.
Add the service account 'SvcAcct1' to a Computer Account 'ComputerAcct1'-------------------------- EXAMPLE 2 --------------------------
PowerShell = Copy
C:\PS>Add-ADComputerServiceAccount -Computer ComputerAcct1 -serviceAccount SvcAcct1,SvcAcct2Description
Add 2 service accounts ‘SvcAcct1,SvcAcct2’ to a Computer Account ‘ComputerAcct1’.
I want to imagine Patrick’s approach of gathering the current list of principals allowed, adding to that list, and then re-running the Set-ADServiceAccount is what’s needed. There is no -Append type of parameter for the Set-ADServiceAccount cmdlet, so you just need to work around that the best you can.