Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manage gMSA (Group Managed Service Account) #54

Open
jpatigny opened this issue Nov 7, 2020 · 5 comments
Open

Manage gMSA (Group Managed Service Account) #54

jpatigny opened this issue Nov 7, 2020 · 5 comments
Labels
enhancement New feature or request next version

Comments

@jpatigny
Copy link
Contributor

jpatigny commented Nov 7, 2020

Description

Add a resource to manage GMSA based on powershell cmdlets New-ADServiceAccount, Set-ADServiceAccount and Remove-ADServiceAccount

I'm aware that there are a lot of parameters available.
Maybe it would worth to focus on the main ones (refer to examples taken mainly from Microsoft documentation page).

Potential Terraform Configuration

Example 1: Create an enabled managed service account

resource "ad_gmsa" "gmsa_example2" {
  Name        = "Service01"
  DnsHostname = "Service01.contoso.com"
  Enable      = true
}

Example 2: Create a managed service account and register its service principal name

resource "ad_gmsa" "gmsa_example2" {
  Name                  = "Service01"
  DnsHostname           = "Service01.contoso.com"
  ServicePrincipalNames = "MSSQLSVC/Machine3.corp.contoso.com"
}

Example 3: Create a managed service account for a single computer

resource "ad_gmsa" "gmsa_example3" {
  Name                     = "Service01"
  RestrictToSingleComputer = true
}

Example 4: Create a managed service account for outbound authentication only

resource "ad_gmsa" "gmsa_example3" {
  Name                                 = "Service01"
  RestrictToOutboundAuthenticationOnly = true
}

Example 5: Create a managed service account for specific computers.

resource "ad_gmsa" "gmsa_example5" {
  name                                       = "Service01"
  dnshostname                                = "Service01.contoso.com"
  enable                                     = true
  PrincipalsAllowedToRetrieveManagedPassword = ["computer1", "computer2" ]
  KerberosEncryptionType                     = "AES256"
  ManagedPasswordIntervalInDay               = 30
}

References

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/addsadministration/set-adserviceaccount?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/addsadministration/remove-adserviceaccount?view=win10-ps

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@jpatigny jpatigny added the enhancement New feature or request label Nov 7, 2020
@jpatigny jpatigny changed the title Add resource gmsa (aka group managed service account) Manage gMSA (Group Managed Service Account) Nov 7, 2020
@briantist
Copy link

+1 this is a major part of our current Windows deployment process. We also typically create a group that contains computers, and set the group to be the lone member of PrincipalsAllowedToRetrieveManagedPassword for example.

@jpatigny
Copy link
Contributor Author

Working on this one

@briantist
Copy link

Note about this example

resource "ad_gmsa" "gmsa_example3" {
  Name                     = "Service01"
  RestrictToSingleComputer = true
}

This is an MSA, but not a gMSA. The *-ADServiceAccount cmdlets are used for both. It might be a good time to decide whether there should be separate msa/gmsa resources, or a single resource that manages both. Some params to those cmdlets apply to both types, some only apply to one or the other.

For supporting MSAs, you'll also want to look at Install-ADServiceAccount so that the acct will be usable on the local machine, although I'm not sure how that'd be handled since it doesn't execute on the domain controller (but does need to access the DC). That command "works" with gMSAs too, as in it won't fail, but it's a no-op.

@ruant
Copy link

ruant commented Nov 9, 2022

Working on this one

@jpatigny Did you manage to get anything together for this?

@benjamin-rousseau-shift

This would be a neat feature, any news on this one ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request next version
Projects
None yet
Development

No branches or pull requests

5 participants