Powershell check if an AD Group Managed Service account (GMSA) is correctly installed on Windows Server

If you wish to check if a Windows Group Managed Service Account (GMSA) is correctly installed (and available for use) on a Windows machine, you can do the following.

  1. Open a new Powershell Window
  2. First make sure that the Active Directory Powershell feature is enabled on the server. Do this by issuing this command:
Add-WindowsFeature RSAT-AD-PowerShell
  1. Afterwards, test the actual service account name by typing in the following command (replace “my_gmsa_account” with the actual account name you want to check)
Test-ADServiceAccount my_gmsa_account
  1. If the account is successfully installed on the Windows Server, it should return:
  1. If however the account is not installed on the Windows Server or the server has no permission to use it, you will receive an error message like this:
WARNING: Test failed for Managed Service Account my_gmsa_account. If standalone Managed Service Account, the account is
linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does
not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required
for the gMSA. See the MSA operational log for more information.

By Leendert de Borst

Freelance software architect with 10+ years of experience. Expert in translating complex technical problems into creative & simple solutions.

Leave a comment

Your email address will not be published. Required fields are marked *