Queries about creating Group Managed Service Account

Hi all,

This is more of a question than a problem but how come the following PowerShell command install-adserviceaccount -identity gmsatest doesn’t work after specifying a group of devices to the Group Managed Service Account i.e. -principalsallowedtoretrievemanagedpassword “domain computers” rather than the individual devices i.e. -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$? Also why is it compulsory to use the $ sign after each device? Below are 2 ways in which I have tested the commands to create the same Group Managed Service Account using a virtual simulation including results of PowerShell.

Method 1

add-kdsrootkey -effectivetime ((get-date).addhours(-10))
new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local
set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword dc-01$,dc-02$,pc01$
install-adserviceaccount -identity gmsatest

No problems

Method 2

add-kdsrootkey -effectivetime ((get-date).addhours(-10))
new-adserviceaccount -name gmsatest -dnshostname dc-01.tim.local
set-adserviceaccount -identity gmsatest -principalsallowedtoretrievemanagedpassword “Domain Computers”
install-adserviceaccount -identity gmsatest
install-adserviceaccount : Cannot install service account. Error Message: ‘An unspecified error has occurred’.
At line:1 char:1

  • install-adserviceaccount -identity gmsatest
  •   + CategoryInfo          : WriteError: (gmsatest:String) [Install-ADServiceAccount], ADException
      + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD

Problem in PowerShell but appears okay in Services Manager on each device?

Lastly what is the safest way to remove a Group Managed Service Account? One time when I removed it from Active Directory Computers and Users it caused Active Directory Administrative Center to stop working whereas another time when I used remove-adserviceaccount -identity gmsatest in PowerShell it stopped my custom Group Policies in Group Policy Management to become uneditable.

Your support would be much appreciated as I am still learning.

Kind regards,


Group names should work for the specifier, although I’d suggest that “Domain Computers” is a little broad for my security tastes. That’s like, a lot of people - might as well put the password on a post-it in the break room.

The $ is a kind of standard suffix thing going back to the NT days.

But I’ll point out that what the parameter really wants is an ADPrincipal object - not a string (although it’ll attempt to work with one). Try using Get-ADComputer or Get-ADGroup to get an object, and then pass that. A la the first answer at. active directory - Group Managed Service Accounts: -PrincipalsAllowedToRetrieveManagedPassword - Server Fault

Hi Jones,

Thank you for getting back to me and responding to my thread, will try the link in your post and to see how I get on. Lastly I will remember to take a snapshot in my test VM before attempting to create and to remove a Group Managed Service Account and thank you for all your explanations, will take those on board too.