Test-AdServiceAccount getting result false

Copper Contributor

 

Test-AdServiceAccount -Identity gmsa_account
False


WARNING: Test failed for Managed Service Account gmsa_account. If standalone Managed Service Account, the account is linked to another computer object in the
Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all th
e Kerberos encryption types required for the gMSA. See the MSA operational log for more information.

 

I'm getting above error and ATP service is not getting start.

 

Any suggestion?

3 Replies
Make sure the machine account has permissions to retrieve the gmsa password.
IF you open a support call, support can help with that.
How we can verify that,
We can see successful result for other RODC servers?

gMSA account already added in log on a service in Default Domain Controller Policy.
Any suggestion?

@pugazhendhi 

 

You should run the following command:

Get-AdServiceAccount -Identity gmsa_account -Properties PrincipalsAllowedToRetrieveManagedPassword

and verify the specific computer account is in the PrincipalsAllowedToRetrieveManagedPassword list, or is a member of a group in the list.

The error message you get when running Test-AdServiceAccount suggests it's not in the list, so you should add it using the Set-AdServiceAccount cmdlet.