ATP DFI CMD for gMSA account creation,

%3CLINGO-SUB%20id%3D%22lingo-sub-2296805%22%20slang%3D%22en-US%22%3EATP%20DFI%20CMD%20for%20gMSA%20account%20creation%2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2296805%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20would%20like%20to%20create%20gMSA%20account%20for%20ATP%2FDFI%20configuration%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShall%20I%20use%20the%20below%20cmd%20to%20create%20gMSA%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-ADServiceAccount%20-Name%20MSA-atp%20%E2%80%93ManagedPasswordIntervalInDays%2060%20%E2%80%93SamAccountName%20MSA-atp%20-PrincipalsAllowedToRetrieveManagedPassword%20Group_MSA-atp%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EgMSA%20account%20name%3A%26nbsp%3BMSA-atp%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B(name%20and%20samaccount%20name%20are%20same)%3C%2FP%3E%3CP%3EGroup%20name%3A%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Group_MSA-atp%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20(%20Creating%20this%20group%20to%20add%20all%20writable%20and%20RODC%20domain%20controllers%20to%20retrieve%20the%20password).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20should%20I%20go%20with%20below%20cmd%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-ADServiceAccount%20-Name%20MSA-atp%20%E2%80%93ManagedPasswordIntervalInDays%2060%20%E2%80%93SamAccountName%20MSA-atp%20-PrincipalsAllowedToRetrieveManagedPassword%20DC01%2CDC02%2CDC03.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20use%20the%20above%20cmd%2C%20do%20I%20need%20to%20add%20all%20my%20100%20DC%20like%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

I would like to create gMSA account for ATP/DFI configuration,

 

Shall I use the below cmd to create gMSA account.

 

New-ADServiceAccount -Name MSA-atp –ManagedPasswordIntervalInDays 60 –SamAccountName MSA-atp -PrincipalsAllowedToRetrieveManagedPassword Group_MSA-atp

 

gMSA account name: MSA-atp                           (name and samaccount name are same)

Group name:              Group_MSA-atp                ( Creating this group to add all writable and RODC domain controllers to retrieve the password).

 

Or should I go with below cmd:

 

New-ADServiceAccount -Name MSA-atp –ManagedPasswordIntervalInDays 60 –SamAccountName MSA-atp -PrincipalsAllowedToRetrieveManagedPassword DC01,DC02,DC03.

 

If I use the above cmd, do I need to add all my 100 DC like this?

 

0 Replies