Powershell Commands to Manage MSA/gMSA Accounts

Hello Readers,  here is another post from Norm to help you achieve more with MSAs and gMSAs through Powershell.    Enjoy.

 

{provided by Norm Eberly}

Since the original post regarding SQL Server 2016 and Group Managed Service Accounts, I’ve had a few questions and suggestions come up that we thought would best be covered using a faq rather than separate in depth blog articles.

So here are some items that should help you with your implementation of Managed Service Accounts (MSAs) and/or Group Managed Service Accounts (gMSAs).

1. Some information on Powershell commands that can help
2. Most of the Powershell commands used in the gMSA post require the use of the Active Directory (AD) cmdlets. The AD Module for Windows Powershell is not installed by default on member servers.  Here is a quick method using Powershell to install this module on a server.  From a Powershell session, run the following command.  Note that you must be running the Powershell session as an administrator.  See this link for more details.

Install-WindowsFeature -Name RSAT-AD-Powershell

1. Use the following Powershell command to remove a Windows feature such as the AD Module if it is no longer desirable to have it on the server. See this link for more details.

Uninstall-WindowsFeature -Name RSAT-AD-Powershell

1. The New-ADServiceAccount cmdlet is used to create new MSA’s and gMSA’s. Here are a few additional pointers to using this cmdlet as well as some of the parameters.  See this link for more details.
2. When creating a new MSA, use the -RestrictToSingleComputer parameter.  Without this parameter, the new account defaults to a gMSA.

New-ADServiceAccount -Name W16-S16-MSA -RestrictToSingleComputer

1. One of the benefits of using MSA accounts is Service Principal Name (SPN) management.  MSA service accounts can automatically register a service’s SPN.  However, there may be issues that prevent the SPN from being registered.  If your environment is configured in such a way that SPN’s do not get registered, you can use the -ServicePrincipalNames parameter to register the SPN when the MSA is created.

New-ADServiceAccount -Name W16-S16-MSA -RestrictToSingleComputer -ServicePrincipalNames MSSQLSvc/W16-S16-SA.contoso.com, MSSQLSvc/W16-S16-SA.contoso.com:1433

1. Use Remove-ADServiceAccount to remove an MSA or gMSA from Active Directory.
2.  Note that this command only removes the managed service account from AD.  It does not remove the managed service account from any computers that use it.  See this link for more details.

Remove-ADServiceAccount -Identity W16-S16-MSA

1. The Install-ADServiceAccount cmdlet is used on the member server to install the MSA/gMSA on that server. See this link for more details.

Install-ADServiceAccount W16-S16-MSA

1. To remove a managed service account from a server (not from AD, see Remove-ADServiceAccount above), use the Uninstall-ADServiceAccount cmdlet. See this link for more details.

Uninstall-ADServiceAccount W16-S16-MSA

Summary

This faq posting brings into one place the various Powershell commands that can be used to administer MSA/gMSA accounts.

Completely Off Topic

The Bayeux Tapestry is a tapestry telling the story of the beginnings of the Norman Conquest of England. It includes scenes of events that lead to the Norman invasion as well as at the Battle of Hastings.

The original Bayeux Tapestry is located at the Bayeux Museum in Bayeux, France.  The origin of the Bayeux Tapestry is not well documented, with the earliest known reference being from 1476 in an inventory of the Bayeux Cathedral.

There is an excellent replica located in Reading, UK, at the Reading Museum.  This version of the tapestry was created in Victorian England.

Having seen both, I can highly recommend a visit to both locations.

 

 

Thanks Norm,

Mark