Test-AdServiceAccount getting result false

pugazhendhi · ‎Sep 10 2021

Test-AdServiceAccount -Identity gmsa_account
False

WARNING: Test failed for Managed Service Account gmsa_account. If standalone Managed Service Account, the account is linked to another computer object in the
Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all th
e Kerberos encryption types required for the gMSA. See the MSA operational log for more information.

I'm getting above error and ATP service is not getting start.

Any suggestion?

Eli Ofek · ‎Sep 11 2021

Make sure the machine account has permissions to retrieve the gmsa password.
IF you open a support call, support can help with that.

pugazhendhi · ‎Sep 13 2021

How we can verify that,
We can see successful result for other RODC servers?

gMSA account already added in log on a service in Default Domain Controller Policy.
Any suggestion?

Martin_Schvartzman · ‎Oct 19 2021

@pugazhendhi

You should run the following command:

Get-AdServiceAccount -Identity gmsa_account -Properties PrincipalsAllowedToRetrieveManagedPassword

and verify the specific computer account is in the PrincipalsAllowedToRetrieveManagedPassword list, or is a member of a group in the list.

The error message you get when running Test-AdServiceAccount suggests it's not in the list, so you should add it using the Set-AdServiceAccount cmdlet.

Test-AdServiceAccount getting result false

Test-AdServiceAccount getting result false

Re: Test-AdServiceAccount getting result false

Re: Test-AdServiceAccount getting result false

Re: Test-AdServiceAccount getting result false

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Test-AdServiceAccount getting result false

Test-AdServiceAccount getting result false

Re: Test-AdServiceAccount getting result false

Re: Test-AdServiceAccount getting result false

Re: Test-AdServiceAccount getting result false