How to fix Windows Service logon tab options greyed out with GMSA account

If you have configured a Windows Service to run under a GMSA (Group Managed Service Account), then it is possible that you will run into the problem that the “log on” tab options will be greyed out, rendering you unable to change the service account for this Windows Service.

1. Change managedaccount flag to “false”

The solution to make the greyed out fields editable again, is to set the “managedaccount” flag of the Windows Service to “false”. The easiest way to do this is via cmd.exe (command prompt). Open up a new Command Prompt as Administrator, then execute the following statement.

sc managedaccount <servicename> false

Replace “<servicename>” with the name of the Windows Service that you would like to unlock.

You should get the following output:

C:\Windows\system32>sc managedaccount <servicename> false
[SC] ChangeServiceConfig2 SUCCESS

Now try to open the Windows Service properties again. When you go to the “log on” tab the fields should now be editable again. You can now change the service account credentials.

2. Change managedaccount flag back to “true” (if the service is still using a GMSA account)

After you have made the service account change via the Windows Service properties you screen, you will need to change the managedaccount flag back to “true”, as otherwise you will run into a problem where the Windows Service will fail to start with the error “Error 1069: The service did not start due to a logon failure.”

Open up a new Command Prompt as Administrator again, then execute the following statement:

sc managedaccount <servicename> true

Now the Windows Service should be able to start under the (new) GMSA credentials.

Published
Categorized as Windows

By Leendert de Borst

Freelance software architect with 10+ years of experience. Expert in translating complex technical problems into creative & simple solutions.

Leave a comment

Your email address will not be published.