If you wish to check if a Windows Group Managed Service Account (GMSA) is correctly installed (and available for use) on a Windows machine, you can do the following.
- Open a new Powershell Window
- First make sure that the Active Directory Powershell feature is enabled on the server. Do this by issuing this command:
Add-WindowsFeature RSAT-AD-PowerShell
- Afterwards, test the actual service account name by typing in the following command (replace “my_gmsa_account” with the actual account name you want to check)
Test-ADServiceAccount my_gmsa_account
- If the account is successfully installed on the Windows Server, it should return:
True
- If however the account is not installed on the Windows Server or the server has no permission to use it, you will receive an error message like this:
False WARNING: Test failed for Managed Service Account my_gmsa_account. If standalone Managed Service Account, the account is linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required for the gMSA. See the MSA operational log for more information.
