ATP DFI CMD for gMSA account creation,

Copper Contributor


I would like to create gMSA account for ATP/DFI configuration,


Shall I use the below cmd to create gMSA account.


New-ADServiceAccount -Name MSA-atp –ManagedPasswordIntervalInDays 60 –SamAccountName MSA-atp -PrincipalsAllowedToRetrieveManagedPassword Group_MSA-atp


gMSA account name: MSA-atp                           (name and samaccount name are same)

Group name:              Group_MSA-atp                ( Creating this group to add all writable and RODC domain controllers to retrieve the password).


Or should I go with below cmd:


New-ADServiceAccount -Name MSA-atp –ManagedPasswordIntervalInDays 60 –SamAccountName MSA-atp -PrincipalsAllowedToRetrieveManagedPassword DC01,DC02,DC03.


If I use the above cmd, do I need to add all my 100 DC like this?


1 Reply



Using a group is easier to maintain, for when you want to add/remove computer accounts. So I would go with the first command.

Having said that, group membership is evaluated at logon, meaning when the computer boots up.

But you can run the following command (instead of the restart), to purge the kerberos tickets and force the system to refresh it's token and group memberships.

klist purge -li 0x3e7

 (0x3e7 is the computer account logon session)