Apr 22 2017

Managed Service Account Fails after Reboot

Published by under Windows




Windows services can be started with a Managed Service Account (MSA) for the sake of security and easy management.
 
It was working just fine until I initiated a server reboot. The service would not start. Opening the service and wiping out the password field makes the service start again.
 
What could be wrong?
Let’s focus on the message displayed when setting up the MSA: The account has been granted the Log On As a Service right.
This setting can be overwritten by a group policy (GPO) that could be applied globally on the domain.
 
An easy way to check which accounts are given the Log On As a Service Right is to run rsop.msc.

 
Browse to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and check that your Managed Service Account is in the list under the Security Policy Setting. If not, update your GPO and check the policy comes first in the Precedence tab.

 

No responses yet

Apr 06 2017

Windows Managed Service Accounts

Published by under Windows




Managed service accounts appeared with Windows 2008 R2 Server. MSA provide a dedicated account for each service without the hassle of managing password assignment or reset; less management, more security.
However, an account can only be used on one server.
 
Setting up a service account is done in 2 steps:
Create it on the Active Directory domain controller and install it on the machine where the service will run.
 
On the domain controller, launch the two following commands in Powershell to create the account which cannot be done through a graphic interface:

Import-Module ActiveDirectory
New-ADServiceAccount -Name Service_Account -Enabled $true

 
The account shows up under “Managed Service Accounts” in Active Directory Users and Computers (CocherCheck Advanced features in the View tab)
Then assign the account to the machine where the service will run:

Add-ADComputerServiceAccount -Identity Target_Server -ServiceAccount Service_Account

 
On the target machine, add the AD module for Powershell feature:
 
Add Feature:
Remote Server Administration Tools
   Role Administration Tools
     AD DS and AD LDS Tools
      Active Directory module for Windows PowerShell
 
And install the service account in Powershell:

Install-ADServiceAccount -identity Service_Account

 

 
Launch the service with DOMAIN\Service_Account$ leaving a blank password. Don’t forget the $ in the account name!

 

No responses yet

Mar 21 2017

Count Results in PowerShell

Published by under Windows





 

I was astonished to see PowerShell would display nothing when it should count 0 or 1.
 
Here’s a screenshot retrieving the number of AD accounts.
 
Instead use the Measure cmdLet and select the count value:

C:\>(Get-ADUser -filter {SamAccountName -like "dron*"} |
     select SamAccountName | measure).count
1

 

 
Another useful command:
The “tee” command lets you store the result set into a variable and its number of elements into another:
 

C:\>$accountnb = (Get-ADUser -filter {SamAccountName -like "dr*"} |
                 select SamAccountName |
                 tee -Variable accounts | measure).count
C:\>$accountnb
3
C:\>$accounts

SamAccountName                                                                                                     
--------------                                                                                                     
draguene                                                                                                           
drondy                                                                                                             
droze                                                                                                              
 

No responses yet

Next »