This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 28.999999999999996%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Hi,
i have the following problem:
When I want to Install my gmsa with "PrincipalsAllowedToRetrieveManagedPassword" assigned to a Security-Group:
Install-ADServiceAccount gmsa_test
i got the following message:
Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
and:
WARNING: Test failed for Managed Service Account gmsa_test. If standalone Managed Service Account, the account is
linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does
not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required
for the gMSA. See the MSA operational log for more information.
In the Event-Viewer, I got the following:
Netlogon failed to add gmsa_test as a managed service account to this local machine. {Access Denied}
A process has requested access to an object, but has not been granted those access rights.
If my gmsa_test is directly assigned with -PrincipalsAllowedToRetrieveManagedPassword "Server1$" to the server, it works well.
any ideas?
Thanks!
BR
Ludwig
If my gmsa_test is directly assigned with -PrincipalsAllowedToRetrieveManagedPassword "Server1$" to the server, it works well.
this is expected behavior and by design. You have to link gMSA account to target computers (or a group that contains computers) and only then you can install that account to allowed computer.
Hi,
its solved by herserlf.
I didn't pay attention to the kerberos thing. Of course, after 10 hours the computer requested a new kerberos ticket and then registered its group membership. Since the computer is used in prod, I could not restart it either.... That would have solved the problem as well.
But thanks for the answers.
BR
Next time, open a cmd and purge the kerbros ticket with "klist -li 0x3e7 purge" in order to skip the 10 hour wait :)
Hi there,
It is possible that you didn't correctly allowed the local computer account on which you are trying to install the AD group managed service account (gMSA) to obtain its plaint-text password. It means you didn't specify the machine account in the list of -PrincipalsAllowedToRetrieveManagedPassword parameter values of the New-ADServiceAccount or the Set-ADServiceAccount.
Without being able to retrieve the password, the servers which need to log on the group managed service account would not be able know its password and log the account on.
--If the reply is helpful, please Upvote and Accept it as an answer--
