Forum Discussion

pugazhendhi's avatar
pugazhendhi
Brass Contributor
Sep 10, 2021

Test-AdServiceAccount getting result false

 

Test-AdServiceAccount -Identity gmsa_account
False


WARNING: Test failed for Managed Service Account gmsa_account. If standalone Managed Service Account, the account is linked to another computer object in the
Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all th
e Kerberos encryption types required for the gMSA. See the MSA operational log for more information.

 

I'm getting above error and ATP service is not getting start.

 

Any suggestion?

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Sep 12, 2021
    Make sure the machine account has permissions to retrieve the gmsa password.
    IF you open a support call, support can help with that.
    • pugazhendhi's avatar
      pugazhendhi
      Brass Contributor
      Sep 13, 2021
      How we can verify that,
      We can see successful result for other RODC servers?

      gMSA account already added in log on a service in Default Domain Controller Policy.
      Any suggestion?
      • Martin_Schvartzman's avatar
        Martin_Schvartzman
        Icon for Microsoft rankMicrosoft
        Oct 19, 2021

        pugazhendhi 

         

        You should run the following command:

        Get-AdServiceAccount -Identity gmsa_account -Properties PrincipalsAllowedToRetrieveManagedPassword

        and verify the specific computer account is in the PrincipalsAllowedToRetrieveManagedPassword list, or is a member of a group in the list.

        The error message you get when running Test-AdServiceAccount suggests it's not in the list, so you should add it using the Set-AdServiceAccount cmdlet.

Resources