Skip to main content

Changing from Local System to Managed Service Account for the Quickpass Service

Ross Thomas
  • Updated

Situation

The Quickpass Agent on a Domain Controller was originally installed with Local System to run the Quickpass Service and you want to change to Managed Service Account (MSA)

  1. "Local System" account may not have sufficient privileges to Read/Write to Active Directory.
  2. In order to have increased visibility to Security Audit logs to determine what actions are performed by the Quickpass Agent.

 

Implementation

  1. Download the attached FixMSA PowerShell Script.
    https://support.getquickpass.com/hc/en-us/article_attachments/8289530497559/FixMSA.ps1

  2. Run this on the Domain Controller(s) in question, using PowerShell AS ADMINISTRATOR
    1. Run this on any Domain Controller that were installed using the Local System account
      1. You must run the script ON each Domain Controller (an MSA is specific per DC - you cannot run this from a DC to apply to another DC)

 

What the Script does

Running the script will

    1. Without any parameters
      1. (ex: PS> .\FixMSA.ps1)
      2. Will create an Managed Service Account with the name QPass######## where the ## symbols refer to the date/time that the PowerShell script was ran
    2. With a specified Managed Service Account name
      1. (ex PS> .\FixMSA.ps1 SpecificAcct) (the name of the account must be between 8 and 15 characters long)
      2. Will create an Managed Service Account with the name specified
        1. NOTE: Each Domain Controller MUST have a different Managed Service Account name
    3. Add the Managed Service Account to the "Managed Service Account Container" in the OU Structure if it exists or the "Users" Container if it does not
    4. Add a Description to the Account to indicate that this was Manually created for use with Quickpass on the Domain Controller name.
    5. Add the Created Managed Service Account to the Domain Admins Group
      1. This is required to ensure that password changes for other Administrator Accounts have sufficient privileges.
    6. Update the Registry on the Domain Controller so that future Quickpass Agent updates know the Managed Service Account name and to use the Managed Service Account in the future.
    7. Stop the Quickpass Service, update the account name to run the service, Start the Quickpass Service.

 

Additional Considerations

  1. If the Domain has a Policy that limits Domain Admin Membership ensure that you add the new Managed Service Account to that Policy to ensure the account remains a member of the Group
  2. If the Domain has a Policy that limits which accounts are used to Log On as a Service, update that account list to include the new Managed Service Account.
    1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service.

Related articles

Comments

0 comments

Article is closed for comments.