From LedHed's Wiki
Jump to: navigation, search

Overview

MS Created Group Managed Service Accounts (gMSAs) to address the weaknesses of traditional service accounts. gMSAs automatically rotate their passwords just like AD Computer Objects.


Challenge

Sometimes you need to login as a particular service account so you can install Certificates, set Proxy setting, or install applications. With a gMSA you never know the password of the account so you can't login.


Solution

PSExec to the rescue. Using PsExec64.exe (v2.2+) you can run an application as a gMSA.

PSExec64.exe -i -u DOMAIN\gMSA-Account$ -p ~ cmd.exe

-i = Interactive (so you can run GUI apps like MMC.exe) -p = Password ~ is a stand-in for no-password (you can omnit this and just press enter at the Password: prompt).


Resources

https://oyvindnilsen.com/run-process-as-managed-service-account/

https://serverfault.com/questions/736651/run-command-with-a-managed-service-account