Situation
The Quickpass Agent on a Domain Controller was originally installed with Local System to run the Quickpass Service and you want to change to Managed Service Account (MSA)
- "Local System" account may not have sufficient privileges to Read/Write to Active Directory.
- In order to have increased visibility to Security Audit logs to determine what actions are performed by the Quickpass Agent.
Implementation
- Download the attached FixMSA PowerShell Script.
https://support.getquickpass.com/hc/en-us/article_attachments/8289530497559/FixMSA.ps1 - Run this on the Domain Controller(s) in question, using PowerShell AS ADMINISTRATOR
- Run this on any Domain Controller that were installed using the Local System account
- You must run the script ON each Domain Controller (an MSA is specific per DC - you cannot run this from a DC to apply to another DC)
- Run this on any Domain Controller that were installed using the Local System account
What the Script does
Running the script will
-
- Without any parameters
- (ex: PS> .\FixMSA.ps1)
- Will create an Managed Service Account with the name QPass######## where the ## symbols refer to the date/time that the PowerShell script was ran
- With a specified Managed Service Account name
- (ex PS> .\FixMSA.ps1 SpecificAcct) (the name of the account must be between 8 and 15 characters long)
- Will create an Managed Service Account with the name specified
- NOTE: Each Domain Controller MUST have a different Managed Service Account name
- Add the Managed Service Account to the "Managed Service Account Container" in the OU Structure if it exists or the "Users" Container if it does not
- Add a Description to the Account to indicate that this was Manually created for use with Quickpass on the Domain Controller name.
- Add the Created Managed Service Account to the Domain Admins Group
- This is required to ensure that password changes for other Administrator Accounts have sufficient privileges.
- Update the Registry on the Domain Controller so that future Quickpass Agent updates know the Managed Service Account name and to use the Managed Service Account in the future.
- Stop the Quickpass Service, update the account name to run the service, Start the Quickpass Service.
- Without any parameters
Additional Considerations
- If the Domain has a Policy that limits Domain Admin Membership ensure that you add the new Managed Service Account to that Policy to ensure the account remains a member of the Group
- If the Domain has a Policy that limits which accounts are used to Log On as a Service, update that account list to include the new Managed Service Account.
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service.
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service.
Comments
0 comments
Article is closed for comments.