Hi, is it doable to use gMSA as credential parameter of cmdlet - for instance Add-ADGroupMember? If so how to do that?
-Credential Parameter wouldn’t know anything on this, any credentials can be used provided those credential has permission to do the operation.
It will have permission, I am interested in how to retrieve gMSA credential in code since it is not some account whose password you can encrypt/decrypt.
From a google search:
You can use the gMSA for a service, a group of IIS applications, or scheduled task. To do this, you must use the name of the account with $ at the end and leave the password blank.
What have you tried so far?
1 Like
I am interested in how to retrieve gMSA credential in code since it is not some account whose password you can encrypt/decrypt.
If your plan is remote computer management by specifiy gMSA credentials then “the machine where this session configuration is registered must have permission to request
the gMSA password in order for sessions to be created successfully.”
To create new PS session configuration that allows gMSA credentials you would use:
New-PSSessionConfigurationFile
Register-PSSessionConfiguration
Your session configuration must allow either gMSA or virtual accounts.
Next step you should allow gMSA account login, for this use:
Set-ADServiceAccount
Specifically you probably need to set -PrincipalsAllowedToRetrieveManagedPassword which sets principals allowed to use gMSA account.
Authentication should be kerberos, and OS should be x64 bit, both of which should be specified in your session configuration.
Otherwise if you plan to use gMSA locally it should be as easy as specifiying your credentials after granting yourself privilege to use gMSA account.
Following links may help: