Group Managed Service Accounts (gMSA) are an awesome way to have Active Directory taking care of password changes for the service accounts. How to create Group Managed Service Accounts and how to assign them to Windows services you will find plenty of articles and blog posts on the internet. Group Managed Service Accounts solve you two main problems:
- They remove the need to manage the service accounts with respect to the overhead of service account password management.
- Service Principal Names (SPNs) registration can be done automatically.
One of the well known use cases is to use gMSA for SQL Servers. There is an article of using gMSA in SQL Server 2016. Now that we know what gMSA can do for us and where to use, we might want to use them when installing a SQL Server using DSC module xSQLServer . The problem with this module is, that the resource xSQLServerSetup does allow you to assign accounts (actually it expects PowerShell credentials) to the SQL Server Windows services. That means you cannot assign a gMSA to this DSC resource, it will fail. So what can you do? Well, one option is to install SQL Server using xSQLServer DSC module assigning credentials to the SQL Server services and replace the service account afterwards through a gMSA. So, how can you do that? Well, I have not found a cmdlet to do so in any PowerShell version. The only way I figured out is to us the WMI class Win32_Service using PowerShell. In this example I had the need for changing the SQL Server Agent service login to a gMSA.The script looks like this…
First we need to define domain and service name:
$ADDomain = ‘Domain’<br>$ServiceName = 'SQLAgent$Instance'
Next we retrieve the gMSA gMSASQLService from Active Directory:
$Account= $ADDomain + "\" + (Get-ADServiceAccount -Identity "gMSASqlService").samaccountname
Then we get the Windows service instance via WMI:
$Service = Get-WmiObject Win32_Service -Filter "Name='$ServiceName'"
Finally we use the change method from the Win32_Service class to change the login. Note here, that you don’t need to submit the password, because this is managed by Active Directory:
The change method has lot’s of parameter to submit and you might are wondering what these all are. I found on MSDN the description of it…
After we changed the login, I set the startup type to automatic and restart the service:
Set-Service -Name $ServiceName -StartupType Automatic | Restart-Service