I have created a gMSA like this:
New-ADServiceAccount -name Cust00000 -DNSHostName Cust00000.domain.com -PrincipalsAllowedToRetrieveManagedPassword "IIS_IUSRS" -ManagedPasswordIntervalInDays 60
And life seems to be good. However, when I run
Test-ADServiceAccount Cust00000
This is what I get:
False
WARNING: Test failed for Managed Service Account Cust00000. If standalone Managed Service Account, the account is
linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does
not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required
for the gMSA. See the MSA operational log for more information.
I checked event viewer -> Application and Services Logs -> Microsoft -> Windows -> Apps -> Microsoft-Windows-TWinUI/Operational but this does not appear to be correct. Where (and possibly what) is the MSA operational log?
EDIT: For the overall issue, I had tried Install-ADServiceAccount but it wasn't working. I gave up on that and finally got it working (for a gMSA named Domain\sirdank$) with Set-ADServiceAccount sirdank -PrincipalsAllowedToRetrieveManagedPassword "$env:computername$" I've also had luck with passing "Domain Computers" instead of "$env:computername$".
Having a similar issue right now. I think the log you are looking for is in Event Viewer under Microsoft/Windows/Security-Netlogon/Operational log; you might see some 9001/9002 events (Task Category of MSA) which might give you some color on what is happening.
Got this from a recent TechNet blog post that describes troubleshooting gMSA account creation/testing issues. Take a look, it might be relevant to your overall issue: https://blogs.technet.microsoft.com/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target/
Alternate link (it appears the same post was cross-posted with a different title): https://blogs.technet.microsoft.com/runcmd/the-rc4-removal-files-part-1-whats-in-an-error-message/
Related
I've been trying to figure out how a few security settings in M365 tenant can be configured via Powershell.
I was looking into Privacy Management in the admin console which has a bunch of settings I required, for eg- data retention period for subject right requests.
I was not able to find anything in the Microsoft documentations, but by some hit and trial I found a command - Get-PrivacyManagementRule . Turns out it has a lot of settings I was looking for.
I'm currently not sure whether I can use this command or this will eventually be deprecated since there is literally 0 information about this command from Microsoft.
Can anyone with more info on this help me out ?
Greeting Everyone,
Hoping someone has a quick insight but I am getting access denied on a service account using the PowerShell command Remove-CMDevice.
This process is as per outlined here, https://technet.microsoft.com/en-us/library/jj821759(v=sc.20).aspx
The account has permission to remove devices from SCCM and this works fine through the GUI but not the command line. I have been unable to find documentation on what permissions the account need to do this via command line, it works fine manually in the GUI.
If anyone can shed light on this it will be wonderful, I do want to keep this service account as having as minimal permissions as possible.
Many thanks,
Edit to Add Image as follows,
After a lot of testing, I'm here with an answer on the Permission part when using PowerShell console to remove CM system object. Of course the symptom is the same: The account can delete from Admin console, however, when using PowerShell, it failed with Permission error message.
The account to perform the Remove-CMDevice cmdlet must have proper RBA Permission on the object. Assume the security scope is default one, the account connected to Configuration Manager console must have below RBA permission which I tested is almost minimal permission:
In the screenshot the Collection part, the permission is easy to understand, Read, Delete Resource, etc.
For the Computer Association part, you may get confused, why?
Steps I did the troubleshooting:
I opened a PowerShell Console connecting to Configuration Manager using my test account and run below command to see what will happen:
Remove-CMDevice 'Rsuraceccc' -Verbose
I got below error:
Yes, it's trying to querying from the SMS_StateMigration. Then I try to run a simple command:
Get-WMIObject -NameSpace root\sms\site_clt -Query 'Select * from SMS_StateMigration'
Once again, I got error. So I get the conclusion that the account needs Permission on SMS_StateMigration. So I add 'Recover User State' permission of Computer Association on the role and tried again, cheers, this time all command runs successfully.
I don't know why it's using SMS_StateMigration, but this is the case here.
Ok I am attempting to transfer a manual change to powershell,
Attempting to grant IIS_IUSRS access to /LM/SmtpSvc/ and /LM/SmtpSvc/1/ nodes in the IIS Metabase.
I have googled extensively and can not find an example of what i am looking for.
I have been trying to play with
$smtp = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpServerSetting'
But I am in a little over my head with WMI.
Any help would be appreciated. This setting is required for resolving
This.
Not an exact answer, but the best I have so far. Following the Guide here I chose option 1 and changed the app pool to network service. I will still work on a way to do the permissions settings with powershell.
Update (solution untested)
I found this answer on another post that details how to do it using scripts in the iis6.0 resource toolkit. To get these scripts on server 2012 you have to install the IIS6.0 resource toolkit, the only way i can find to do a silent install of this one was located here from there you can call the scripts using cscript.exe. I stuck with the changing user on the app pool option because it fits in with other things as well.
I'm running an application that executes Windows Workflows as a service with some custom activities in them. When I run the activities as a logged on user in a shell that invokes the workflows with the activities, the activities have no problems performing as expected. When the activities get invoked while the user is running the service (e.g. not logged on, at least not graphically) the activities fail with "Access Denied" errors. What's the difference between running the code as a logged on user vs running it as a service user ? Is it that when it runs as a service, the user's profile doesn't get loaded ? If so, how can I force the user's profile to get loaded when running as a service ?
Specifically, the activities I'm working with perform remote management with classes in the System.Management.Automation namespace (i.e. powershell).
A bit late answer, but in case someone else is wondering.
I had a similar problem earlier and have done some research. The following is untested, but may be of help to others.
The difference between a process running as "Windows Service" and under a desktop environment is what Window Station it is assigned to. Normally a service runs under a different station than desktop users.
I say normally because a service can have the "SERVICE_INTERACTIVE_PROCESS" flag set. This will give it a desktop window station. See this article and this article for a more detailed explanation. Setting the "SERVICE_INTERACTIVE_PROCESS" can be done in the CreateService (C# use of that) call or manually by checking the "Allow service to interact with desktop" checbox under "LogOn" under properties of the specific service.
Having a tough time with this issue. Not sure how but my ApplicationPoolIdentity is broken.
Currently I'm running IIS 8 on Windows 8 with Visual Studio 2012. When trying to debug an application from Visual Studio, or just navigating to the site in a browser I get the following error logged and a 503 error.
Application pool 'DefaultAppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
If I check out the Application error logs, I find the following error from the User Profile Service.
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
DETAIL - The system cannot find the path specified.
Upon looking into the details I find that the User Profile Service is trying to load up a profile with the Id
S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
Now I opened up the registry to try and find the profile with that UserId. However there's nothing in the Profile list that helps.
So digging around a little more I've found that this issue can be resolved by either
A) Set the Load User Profile of the Application Pool to false.
B) Use a different account for the application pool.
C) Fix the account.
Seeing how this is the built in account, I'd prefer to fix the issue rather than fix the sympton.
What I have tried
aspnet_regiis -i
Removing IIS from windows and reinstalling.
Attempted to follow the guide here but I don't know the account password :P
My hunch
Somehow the ApplicationPoolIdentity got messed up. Is there any physical folders for the built-in accounts? I know that the Network and Local service profiles physical directories exist at C:\Windows\ServiceProfiles\. It is possible to recreate the ApplicationPoolIdentity profile? Or am I way off on what the real issue is?
C) Here is what i did to fix the account
Go in regedit at key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There is a setting called "Default". You have to make sure that the data value point to an existing directory on the drive.
By default it contains "%SystemDrive%\Users\Default". In my company the default is changed to a custom profile. Somehow, someone deleted that user profile. So when the defaultAppPool user tryed to create an accound for himself, it was unable to do so because windows cannot provide him with a default user profile.
You can also diagnose this error when looking at the Event Viewer under the Application folder. You will get a message of that type:
Windows cannot find the local profile and is logging you on with a
temporary profile. changes you make to this profile will be lost when
you log off.