Sep 10 2021 12:45 PM
Test-AdServiceAccount -Identity gmsa_account
False
WARNING: Test failed for Managed Service Account gmsa_account. If standalone Managed Service Account, the account is linked to another computer object in the
Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all th
e Kerberos encryption types required for the gMSA. See the MSA operational log for more information.
I'm getting above error and ATP service is not getting start.
Any suggestion?
Sep 11 2021 11:46 PM
Sep 13 2021 03:36 PM
Oct 19 2021 12:46 AM
You should run the following command:
Get-AdServiceAccount -Identity gmsa_account -Properties PrincipalsAllowedToRetrieveManagedPassword
and verify the specific computer account is in the PrincipalsAllowedToRetrieveManagedPassword list, or is a member of a group in the list.
The error message you get when running Test-AdServiceAccount suggests it's not in the list, so you should add it using the Set-AdServiceAccount cmdlet.