Link to home
Create AccountLog in
Avatar of Tim Kristof
Tim KristofFlag for Germany

asked on

ACL Settings for a Managed Service Account

I want to give accessrights to am gmsa via Powershell. I know how it works with a regular domain account, but this dosent work with a group managed service account.

This is an Excample of my try:

$rootfolder="C:\Admin"

$username="gMSA_Excample$"

$permission="FullControl"

$Folders = (Get-ChildItem -Directory $RootFolder -Recurse).FullName



foreach ($folder in $Folders)

{

$Acl = Get-Acl $folder

$Ar = New-Object  system.security.accesscontrol.filesystemaccessrule($username,$permission,'ContainerInherit,ObjectInherit', 'None', 'Allow')

$Acl.SetAccessRule($Ar)

Set-Acl $folder $Acl

}


Avatar of oBdA
oBdA

You need to use the service account's sAMAccountName, not its AD name; it will end with a $, because a service account is essentially a computer account.
The SAM is in all likelihood just gMSA_SVC-P$, but you can run this to verify:
Get-ADServiceAccount -Filter "Name -eq 'gMSA_SVC-P'"

Open in new window

Avatar of Tim Kristof

ASKER

You're right, now there is no error code, but the acl s not set. Its like the hook to set, when you try to choose the account. You have first to check the square "service accounts"

ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer