AppWorx, Dollar Universe and Sysload Community

Hi Dollar Universe Community,

I share a tips how to implement GMSA to Dollar Universe Account Service in Windows System

It's Powershell script, you have to be administrator.

The GMSA user have to be created by a AD administrator.

# powershell as administrateur
[String]$AD_Domain = "<AD_Domain>"
[String]$MSA_Account="<AD_accountName>"

[String]$DU_Company = "<DU_Company>"
[String]$DU_Node = "<DU_Node>"

[String]$DU_Account = "<DU_SubmitAccount>"
[String]$DU_rootdir = "<DU_InstallDir>"

[String]$DU_BinPath = "${DU_rootdir}\${DU_Company}\bin\uniservuser.exe"
[String]$serviceName = "${DU_Company}_${DU_Node}_univ_${DU_Account}"

Write-Output "Step 1: INstall RSAT..."
Add-WindowsFeature RSAT-AD-PowerShell

Write-Output "Step 2: install GMSA..."
Install-ADServiceAccount $MSA_Account

Write-Output "Step 3: test GMSA..."
Test-AdServiceAccount -Identity $MSA_Account

Write-Output "Step 4: Add group Administrators for GMSA..."
Add-LocalGroupMember -Group "Administrators" -Member "${AD_Domain}\${MSA_Account}$"

# --- Dollar Universe
Write-Output "Step 5: Delete `$U User ..."
cmd /c "${DU_rootdir}\${DU_Company}\unienv.bat && ${DU_rootdir}\${DU_Company}\bin\uxdlt USER user=${DU_Account}"
Write-Output "Step 6: Create `$U User ..."
cmd /c "${DU_rootdir}\${DU_Company}\unienv.bat && ${DU_rootdir}\${DU_Company}\bin\uxadd USER user=${DU_Account} type=WIN label=`"${DU_Account}`" SYSUSER=`"${AD_Domain}\${MSA_Account}$`""

# --- Service Dollar Universe
Write-Output "Step 7: Create Service `$U User ..."
New-Service -Name "$serviceName" -DisplayName "Univer`$e ${DU_Company}_${DU_Node} user ${DU_Account}" -Description "Dollar Universe user service" -BinaryPathName "${DU_BinPath}" -StartupType Automatic

Write-Output "Step 8: Update Service `$U User ..."
$ServiceObject = Get-WmiObject -Class Win32_Service -Filter "Name='$serviceName'" 
$ServiceObject.StopService() | out-null
# -- Change logon as settings
$ServiceObject.Change($null, $null, $null, $null, $null, $null, "${AD_Domain}\${MSA_Account}$", $null, $null, $null, $null)
$ServiceObject.StartService()

So this is creating a local service using a standard domain account then changing its logon to use a gMSA. 

Need to point out there may be other secrity things to overcome when changing  a service to run as a different account but that would need to be cartered for seperately.