If you have configured a Windows Service to run under a GMSA (Group Managed Service Account), then it is possible that you will run into the problem that the “log on” tab options will be greyed out, rendering you unable to change the service account for this Windows Service.
1. Change managedaccount flag to “false”
The solution to make the greyed out fields editable again, is to set the “managedaccount” flag of the Windows Service to “false”. The easiest way to do this is via cmd.exe (command prompt). Open up a new Command Prompt as Administrator, then execute the following statement.
sc managedaccount <servicename> false
Replace “<servicename>” with the name of the Windows Service that you would like to unlock.
You should get the following output:
C:\Windows\system32>sc managedaccount <servicename> false [SC] ChangeServiceConfig2 SUCCESS
Now try to open the Windows Service properties again. When you go to the “log on” tab the fields should now be editable again. You can now change the service account credentials.
2. Change managedaccount flag back to “true” (if the service is still using a GMSA account)
After you have made the service account change via the Windows Service properties you screen, you will need to change the managedaccount flag back to “true”, as otherwise you will run into a problem where the Windows Service will fail to start with the error “Error 1069: The service did not start due to a logon failure.”
Open up a new Command Prompt as Administrator again, then execute the following statement:
sc managedaccount <servicename> true
Now the Windows Service should be able to start under the (new) GMSA credentials.
