3 thoughts on “PowerShell and Group Managed Service Accounts (gMSA)”

  1. You do not have to be in the Domain Admin group to create and modify AD Users – I’m not sure what the perms are, but this code is wrong:

    If ($WindowsPrincipal.IsInRole(“Domain Admins”)) {
    ForEach ($Name in $gMSANames) {
    $Acct = $Name.Username;


    But nice code – I am reviewing all of it as I was working on something similar.

    1. Yes, technically an account can be delegated permissions to create MSA/gMSA at the sub-OU level. However, most of the small/medium-sized businesses that I know have smaller IT groups where they just use the Domain Admins group.

Leave a Reply

Your email address will not be published.