gMSA + PowerShell RRS feed

  • Question

  • Hi, Is it possible for creating a PSCredential with a gMSA account? You would then be able install a gMSA account that only has write permissions certain places and whenever you use -credential you could pass the gMSA account. Other use cases I can see are being able to execute runbooks in SMA as a different user than the one running with the runbook service. This would only make sense without the use of PSexec or task scheduler imo.
    • Edited by Raymond Siring Wednesday, August 15, 2018 7:07 AM
    • Moved by Bill_Stewart Wednesday, December 12, 2018 5:09 PM Unanswerable drive-by question
    Wednesday, August 15, 2018 7:05 AM

All replies

  • The basic idea behind gMSA / MSA accounts is - Password is managed by AD. 

    Netlogon is the service which helps to pull gMSA password from AD.

    Hence, the services which is capable of calling into NetLogon, can use the gMSA password. 

    There is no way to retrieve password and type it manually. 

    • Proposed as answer by Suman Bhowmik Thursday, October 29, 2020 11:18 AM
    Thursday, October 29, 2020 11:17 AM