Change service account to gMSA???

Have been testing group managed service accounts in Windows 2012 R2 and now set to change services on various Windows servers to gMSAs. I put together this little script just for testing. This works fine for a single host and a specified service with creds specified like this “Domain\Username”. But, when I try to enter a gMSA username but omit the password variable (as most of are aware, Active Directory handles the password), the command doesn’t work:

$Box = read-host “Enter computername”
$User = read-host “Enter domain\username”
$Pass = read-host “Enter password” -AsSecureString
$Srvc = read-host “Enter service name to change”
$service = gwmi win32_service -ComputerName $Box -Filter “name=‘$Srvc’”
$service.change[$null,$null,$null,$null,$null,$null,“$User”,“$Pass”]

Also tried with the following script from: https://gallery.technet.microsoft.com/scriptcenter/79644be9-b5e1-4d9e-9cb5-eab1ad866eaf, and left out the password variable but doesn’t work.

$UserName = “Infralab\santhosh”
$Password = “Password”
$Service = “MpsSvc” #Change service name with your service name
$Cred = Get-Credential #Prompt you for user name and password
Import-CSV C:\Scripts\input.csv | % {
$ServerN = $_.ServerName
$svcD=gwmi win32_service -computername $ServerN -filter “name=‘$service’” -Credential $cred
$StopStatus = $svcD.StopService()
If ($StopStatus.ReturnValue -eq “0”) # validating status - http://msdn.microsoft.com/en-us/library/aa393673(v=vs.85).aspx
{write-host “$ServerN -> Service Stopped Successfully”}
$ChangeStatus = $svcD.change($null,$null,$null,$null,$null,$null,$UserName,$Password,$null,$null,$null)
If ($ChangeStatus.ReturnValue -eq “0”)
{write-host “$ServerN -> Sucessfully Changed User Name”}
$StartStatus = $svcD.StartService()
If ($ChangeStatus.ReturnValue -eq “0”)
{write-host “$ServerN -> Service Started Successfully”}
}

So, do you change a windows service account to a gMSA and not include a password???

Another thing, this is probably really basic but can’t seem to get to work but the above script imports a csv. Just for testing, I tried doing “gc d:\testboxes.txt” and that didn’t work. It seems that if the script can import server names from a CSV, it should work with “get-content d:\testboxes.txt” or does it have been written differently?

Managed service account names (like computer and trust accounts) actually end with a $ character, and I’m not seeing that in your $UserName variable. Try this, and see if it works:

$UserName = 'Infralab\santhosh$'

Thx for the suggestion Dave.
I’ll give it a go. But, do you have any suggestions for omitting PASSWORD variable in the command? The reason the command didn’t work could be because I had left out the dollar sign $, regardless if I omitted the PASSWORD variable. Guess I won’t know until I try it. I’ll know if omitting the PASSWORD variable wasn’t the issue but not including the dollar sign at the end of the gMSA.

Dave, that worked! Appended the dollar sign $ at the end of gMSA account and omitted the PASSWORD in the command. Service started right up!

Hi guys,
not sure if this is still active, I have tried the script as detailed, it stops the service but doesn’t restart even after removing the password field. Not sure what I am missing but I really would like to get away from MSA and change existing accounts into gMSA.

any tips, greatly appreciated.

regards