Forum Discussion

Brass Contributor

Sep 10, 2021

Test-AdServiceAccount getting result false

Test-AdServiceAccount -Identity gmsa_account False WARNING: Test failed for Managed Service Account gmsa_account. If standalone Managed Service Account, the account is linked to another comput...

EliOfek

Microsoft

Sep 11, 2021

Make sure the machine account has permissions to retrieve the gmsa password.
IF you open a support call, support can help with that.

pugazhendhi
Brass Contributor
Sep 13, 2021
How we can verify that,
We can see successful result for other RODC servers?

gMSA account already added in log on a service in Default Domain Controller Policy.
Any suggestion?
- Martin_Schvartzman
  Microsoft
  Oct 19, 2021
  pugazhendhi
  
  You should run the following command:
  
  Get-AdServiceAccount -Identity gmsa_account -Properties PrincipalsAllowedToRetrieveManagedPassword
  
  and verify the specific computer account is in the PrincipalsAllowedToRetrieveManagedPassword list, or is a member of a group in the list.
  
  The error message you get when running Test-AdServiceAccount suggests it's not in the list, so you should add it using the Set-AdServiceAccount cmdlet.