Environment

• App Control Server: 8.10 and Higher
• SQL Server Standard: All Supported Versions
• SQL Server Enterprise: All Supported Versions

Objective

Resolution

1. Open Powershell > Update the principals allowed to retrieve the password for the gMSA account > Add the App Control computer account, e.g:

   Set-ADServiceAccount -Identity gsma1$ -PrincipalsAllowedToRetrieveManagedPassword appserver$

   • If error "Set-ADServiceAccount is not recognized as the name of a cmdlet" is displayed, please install the Powershell AD tools:

     Install-WindowsFeature RSAT-AD-PowerShell

2. Verify the principals allowed to retrieve the password:

   Get-ADServiceAccount -Identity gmsa1$ -Properties PrincipalsAllowedToRetrieveManagedPassword
   DistinguishedName                          : CN=gmsa1,CN=Managed Service
   Name                                       : gmsa1
   PrincipalsAllowedToRetrieveManagedPassword : {CN=APPSERVER,CN=Computers,DC=appc,DC=com}
   ...
   

3. Install the gMSA account onto the App Control system e.g:

   Install-ADServiceAccount gmsa1$

4. Verify the gMSA account has been installed on the App C system:

   Test-ADServiceAccount gmsa1$
   True

5. Add the gMSA account to the Local Administrators group on the App C system:

   Add-LocalGroupMember -Group "Administrators" -Member gmsa1$
   

   • Verify the gMSA account is a member of the Local Administrators:

     Get-LocalGroupMember -Group "Administrators"
     User        GSSLABS\gmsa1$        ActiveDirectory

6. Verify that the gMSA account has the required SQL Server permissions as listed here (Sysadmin role i...
7. The App Control server app can now be used with a gMSA account
8. During server setup specify the account as domain\username$ and leave the password blank

Additional Notes

Related Content