Using Group Managed Services Account with Scheduled Tasks

In this post we will be going through the steps required to create and use group managed services account (gMSA) with a scheduled task.

gMSA are a managed domain account that provides automatic password management. These accounts provide a single identity to use on multiple servers.

By using a gMSA account, we can configure services / scheduled tasks with the gMSA principal and Active Directory handles the password management.

gMSAs where introduced since Windows Server 2012.

There are pre-requests to use gMSA that most domain should already meet, this is AD Schema of 52 (2012) and at least one 2012 DC.

Once we meet the minimum scheme the second part is that we have to create the Key Distribution Services Root Key.

This involves running a command in PowerShell, we can the below command to confirm that a kds root key doesn’t exist already.

Get-KdsRootKey

Get KDS Root Key

To create the KDS run

Add-KdsRootKey –EffectiveImmediately

Now when we check KDS again we can see the root key.

Now that we have the KDS root key we can create the gMSA

We can add the host either individually or using a security group, we will be using a group in this post as it will be easier to mange and just need to add any additional servers to the group to allow access.

I have create a group called tskgmsa_access to use and added some server computer accounts.

The below command is used to create the gMSA account (The DNS is required by the command but not needed for running scheduled task so you can use whatever name as it doesn’t need to be resolvable)

New-ADServiceAccount -name gMSAName -DNSHostName DNSName -PrincipalsAllowedToRetrieveManagedPassword "Group or Hosts"

If you receive the below error New-ADServiceAccount : Key does not exist
this is probable due to the KDS key not be being actives yet and you will have to wait around 10 hours before trying to create the gMSA.

There is a way to force this using the below command but I didn’t want to force it and just left the server over night.

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

Once we wait the 10 hours the command should now run without the error.

Create gMSA Account

The accounts are create under the Managed Services Accounts OU.

Note: To add additional accounts or groups to gMSA account you need to append the existing group or the command will remove the existing account

If running the below the new object will be added and remove the existing objects.

Set-ADServiceAccount -Identity gMSA_Account -PrincipalsAllowedToRetrieveManagedPassword "NewAccount$"

Instead we need to run this command to add the new object and kept existing object.

Set-ADServiceAccount -Identity gMSA_Account -PrincipalsAllowedToRetrieveManagedPassword "ExistingAccount$", "NewAccount$"

If we need to get a list of the existing object we can use.

Set-ADServiceAccount -Identity gMSA_Account -Property PrincipalsAllowedToRetrieveManagedPassword

We can add the account to a security group to give more rights, this could be used if the account needs admin right to do a specific tasks.

The Microsoft documentation says that you need to install RSAT tools and run Install-ADServiceAccount but I didn’t have to do this for scheduled task to run.

To allow the account to run a script we need to add the account to the logon as a batch job under user rights assignment. This can either be done using group policy or using secpol.msc.

I used secpol as i only have two servers to configure.

To test we will create a scheduled task that will out put text to a log file.

Below is the script file that will be run.

To use the gMSA account we will create the task using either PowerShell (Run as administrator as this required elevated privilege’s) or the task scheduler GUI. In this example we will use PowerShell.

Below is the command I used.

$arg = "-ExecutionPolicy Bypass -NoProfile -File C:\scriptpath\script.ps1"

$ta = New-ScheduledTaskAction -Execute C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -Argument $arg

$tt = New-ScheduledTaskTrigger -At "Time to Run"

$ap = New-ScheduledTaskPrincipal -UserID Domain\gMSA_AccountName -LogonType Password

Register-ScheduledTask gMSA_Test_Task –Action $ta –Trigger $tt –Principal $ap

If you get incorrect users or password and only recently added the computer account to the security group, the server will need a reboot to pickup the membership.

If creating in the GUI you will probable get an error while searching for the gMSA account.

To get the search to work correctly we need to remove user and built-in-security principals from the search object types and leaving just service accounts.

Next we can search for the gMSA account.

Next we need to run the task and confirm data is written to the log. From the task events we can see the account used is gmsa_tsksch$.

We can also see the authentication on the domain controller.

When we check the logs folders we can see the text files are created.

This has been a overview of creating and using a Group Managed Service Account for running scheduled tasks.

Weekly Active Directory Audit Report PowerShell

Recently a request came in from our security team to audit recently create, deleted AD object, accounts due to expire (this is for third party users) and modified / created group policy objects so that they would be able to trace the changes happening in Active Directory.

I decided to write a PowerShell script that will export the required information and then send a the csv export to the user that require the information.

This could also be used to import the data to a dashboard by either using the CSV files or if the dashboard can use direct PowerShell script like PowerBI.

First there are some mandatory parameters. Exportpath and domain.

To allow the script to be run without emailing the csv I have left the smtpserver, to and from address as not mandatory parameters.

The script used two different modules

Group Policy:

ActiveDirectory:

To install these go on a Windows server go to add roles and features and select Group policy Management

and under RSAT enabled the Active Directory module.

Once all the features are enable we can run the script.

I have set the default time to last 7 days but if you want to go back further then update the date value.

To run the script so that it just export local without email the reports use the below.

.\WeeklyAD_AuditReport_V1.ps1 -exportPath c:\Temp\AD_Audit\ -domains domian.local

To email the report use the below

.\WeeklyAD_AuditReport_V1.ps1 -SMTPServer mailserver.domain.local -toAddress administrator@domain.local -FromAddress ADreport@domain.local -exportPath c:\Temp\AD_Audit\ -domains domian.local

Once the script completes we can check that the csv files have been created.

If the SMTP server parameter is set, the script will send a email and add the csv as attachments.

Below is what the outputs should look like.

GPO:

Deleted Objects:

Account expire:

The full script can be downloaded from the below link to my GitHub.

Scripts/ActiveDirectory/WeeklyReport at master · TheSleepyAdmin/Scripts (github.com)

The script can then be set to run as a scheduled task to run on a weekly scheduled.

Connect Windows Admin Center to Azure

In this post we will be going through connecting Windows Admin Center to Azure to allow management of Azure VM’s. To install WAC see previous post.

The Azure integration allows the management of Azure and on-prem servers from a single console.

First step is to register WAC with Azure, Open the WAC admin console and go to settings tab. AZ1

Go to the Azure in the gateway settings AZ2 Copy the code and click on the enter code hyperlink and enter the code AZ3 AZ4

Sign-in using an admin account on the Azure tenant. AZ5 AZ6

Now go back to WAC and click connect to finish the registration AZ7

Once WAC is registered it require admin application permission to be granted to the application registration in Azure AZ8

Now that the registration is completed we can now add Azure VM’s to WAC go to add and select Azure VM AZ9

Select the subscription (if there are multiple subscription in your tenant), resource group and VM that will be added. AZ10

Once the Azure VM is added, to allow management there will need to be management ports opened to allow a connection between WAC and the Azure VM. If you are using a site to site VPN you can just allow the ports over the VPN connection.

I have a public IP associated with my VM and I will be modifying my network security group to allow the ports from my public IP.

I wont be going through configuring an NSG as this was covered in a previous post. AZ15

On the VM itself you need to enable winrm and allow port 5985 through the windows firewall if enabled. This can be done by running the two command below from an admin PowerShell session.

winrm quickconfig
Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any

Once the NSG is configured we should then be able to connect to the VM. AZ12

Below shows the overview of the VM AZ14 We can also now connect to the VM using integrated RDP console in WAC AZ13

WAC also allows us to manage services, scheduled tasks, backups, check event logs and other admin task, along with connecting using remote PowerShell directly from WAC. AZ16

Windows Admin Centre 1910

I have previously looked at Window Admin centre (WAC) tech preview and wanted to configure the latest full release, to see what changes have been made and do a proof of concept to see if this will be useful if it is deployed to our production environment.

PowerShell version 5.1 is required on servers that will be added to WAC and will need Window Management Framework (WMF) 5.1 installed, some will require additional steps also. See list below for required pre-req before they can be managed in WAC.

https://www.microsoft.com/en-us/download/details.aspx?id=54616

Windows Admin Centre uses SMB for some file copying tasks, such as when importing a certificate on a remote servers.

Once all pre-req are confirmed, we can go ahead and download Windows Admin centre.

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-admin-centerhttps://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/overview#download-now

Once the MSI is downloaded run and following the installation Admin1 Accept the terms. Admin2 Admin3

I used the default settings but you can enable WinRM over https if you have certificates that have server authentication set. If you want to look at configuring WinRM over https see following link: https://support.microsoft.com/en-us/help/2019527/how-to-configure-winrm-for-https Admin4

I will use default port 443 and generate a self signed cert, if you have a certificate authority you can generate a cert that can be used for gateway. Admin5 Admin6 Admin7

Once the install is completed you can access the Windows Admin Centre URL using https://servername.

Admin8 To add a server click Add. Admin9 Admin10 Click search active directory and put in the server name. Admin11

Once the server is added it will show in the admin console. To connect click on the server and connect. Admin12 When connecting to servers, to allow single sign on there is an additional command that need’s to be run. If this is not done you will see the below warning when connecting.

Admin13

I updated the command to run on all servers in AD, as I didn’t want to have to run on each individually.

$Servers = Get-ADComputer -Filter “OperatingSystem -like ‘Windows Server*'”
$WAC = “LAB-WAC”
Foreach ($Server in $Servers){
Set-ADComputer -Identity $Server -PrincipalsAllowedToDelegateToAccount (Get-ADComputer $WAC)
}

Admin16 The above command adds the admin server to the below attribute. Once this has been done when you click connect it should now use SSO. Admin15

We can now manage the servers from a central console without having to logon individually to each server. In the next post we will go through the different options and settings in Windows Admin Centre.