Monday, December 1, 2014

Group Managed Service Account (gMSA) – Access Denied

I have seen a lot of questions on TechNet forums about Access Denied error when installing Group Managed Service Account (gMSA) using Install-ADServiceAccount PowerShell cmdlet. 

Install-ADServiceAccount : Cannot Install service account.  Error Message: ‘{Access Denied}

 

14

This error message can be little misleading if you are using proper administrative credentials.  If you are using a security group for your host servers (PrincipalsAllowedToRetrieveManagedPassword), you need ensure that this particular server is part of that security group.  If you have recently added this server to the group, you need to restart the server to get the updated group membership.  The service account cannot be installed on the server before verifying the group membership.

3 comments:

I am experiencing this problem, i have rebooted the Domain controller and once it has restarted, i have rebooted the two Member servers that i want to add the Service accounts on. When i start PowerShell run as administrator, using a domain Admin account. I get the above error message?

I ran into an issue all day where managed accounts would not install no matter what security group I set. Finally I realized by mistake:

Make sure that when you run New-ADServiceAccount you specify "-PrincipalsAllowedToRetrieveManagedPassword" and not "-PrincipalsAllowedToDelegateToAccount"

Using the Domain Administrator Account to run the query above and still the same error. Also WMI parameter error trying to add the account (Account is created but does not appear capable of service as a service account - doesn't show up in the AD when adding the account to SQL Server for example)

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More