Create the gMSA
- Create a KDS Root key:
- Open PowerShell as administrator
- Run command: Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
- (Optional) Test KDS: Get-KdsRootKey
- Create a Security Group (MMC or PowerShell) to include all computer objects that will use the gMSA. For the purposes of this document, the group will be named “gMSAComputers”. Populate the group with the target computer objects.
- Execute command to create the gMSA:
New-ADServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group>
Example:
<ServiceAccountName> = gMSATest01
<fqdn> = DC01.mydomain.local
<group> = gMSAComputers
New-ADServiceAccount -name gMSATest01 -DNSHostName DC01.mydomain.local
-PrincipalsAllowedToRetrieveManagedPassword gMSAComputers
- (Optional) Test newly created gMSA: get-ADServiceAccount -Identity 'gMSATest01'
Install the gMSA
A system restart is needed for each member server that will use the newly created gMSA.
- Enable the Active Directory module for Windows PowerShell:
- Get-WindowsFeature AD-Domain-Services
- Install-WindowsFeature AD-DOMAIN-SERVICES
- Install gMSA:
Install-AdServiceAccount gMSATest01
- (Optional) Test the gSMA:
Test-AdServiceAccount gMSATest01
- Open Local Security Policy ->expand: Local Policies -> click: User Rights Assignment -> double-click: Replace a process level token. Add the newly installed gMSA, e.g. gMSATest01$
- Configure your service to authenticate using the newly created gMSA. Following the above example, the account is configured as: MYDOMAIN\gMSATest01$. Note the “$” at the end. No password is needed.
Continue configuring ApexSQL Audit following this Knowledge Base:
Configuring gMSA account to run ApexSQL Audit processes