4 thoughts on “PowerShell and Group Managed Service Accounts (gMSA)”

  1. You do not have to be in the Domain Admin group to create and modify AD Users – I’m not sure what the perms are, but this code is wrong:

    If ($WindowsPrincipal.IsInRole(“Domain Admins”)) {
    ForEach ($Name in $gMSANames) {
    $Acct = $Name.Username;


    But nice code – I am reviewing all of it as I was working on something similar.

    1. Yes, technically an account can be delegated permissions to create MSA/gMSA at the sub-OU level. However, most of the small/medium-sized businesses that I know have smaller IT groups where they just use the Domain Admins group.

      1. More relevantly, by default to create (g)MSA accounts specifically, you *do* need the Domain Admin role because only that role has permission to write to the Managed Service Account OU. Any administrators with knowledge to structure their gmsa deployments more intelligently ( -Path “OU=YournewOU,ou=yourtree,dc=yourdomain,dc=yourtld” ) will probably have suitable awareness to adjust the code here to their requirements and not just execute blindly.. I hope. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *