Windows 2012: Install-ADServiceAccount returns Access Denied

[guest]

I am playing around with the Group Managed Service Accounts. I skipped MSA from Windows Server 2008 R2 since the single-computer limitation made it's value fairly low. Anyway, the 2012 RC documentation is still not really there and most is links to 2008R2 documents, so I may be doing this incorrectly.

Before Install-ADServiceAccount (on the local computer)

•I set up the KDS root key and it has replicated
•I ran New-ADServiceAccount and Add-ADComputerServiceAccount to create and assign a gMSA
•User account has FULL CONTROL of the gMSA object (even tried removing accidental deletion protection)
Looking through logs on the DCs, I see:

•Directory Access successes from the user account I am using - reading the gMSA object
•No Directory Access failures are recorded - auditing is on for all accesses to the gMSA object
•Privilege Use failures for the computer account to use seBackupPrivilege
There is nothing in logs on the local machine that I could find and the error message says WriteError: (<gMSA account>:String)

[guest]

Did you use administrator to perform the steps to group managed service accounts?


Please refer to the following Microsoft TechNet article for more information:


Getting Started with Group Managed Service Accounts

http://technet.microsoft.com/en-us/libr ... 28431.aspx

[guest]

Thanks for the link - in my searches I had not found any guidance on how to to this correctly in 2012, only in 2008R2

My error was in using 'Add-ADComputerServiceAccount' instead of 'Set-ADServiceAccount'. When I used the latter, everything just worked. Install-ADServiveAccount was not needed.