Situation
The Quickpass Agent on a Domain Controller was originally installed with Local System to run the Quickpass Service and you want to change to Managed Service Account (MSA)
- "Local System" account may not have sufficient privileges to Read/Write to Active Directory.
- In order to have increased visibility to Security Audit logs to determine what actions are performed by the Quickpass Agent.
Implementation
- Download the attached FixMSA PowerShell Script, or directly here - FixMSA.ps1
- Run this on the Domain Controller(s) in question, using PowerShell AS ADMINISTRATOR
- Run this on any Domain Controller that were installed using the Local System account
- NOTE: You must run the script ON each Domain Controller (an MSA is specific per DC - you cannot run this from a DC to apply to another DC)
- Run this on any Domain Controller that were installed using the Local System account
| Looking to deploy this through your RMM tool? See below! |
Articles for RMM Deployment Steps
- Connectwise Automate - Change from Local System to Managed Service Account
- Connectwise RMM - Change from Local System to Managed Service Account
- more tools, coming soon!
|
Can't find your RMM tool above? We will be publishing documents for more RMM tools soon. In the meantime, you may run this modified PowerShell script against your machines using your preferred RMM tool
NOTE: The 'FixMSA - RMM.ps1' script will only complete if the target endpoint is a domain controller running the Quickpass Server Agent service as a Local System. Checks are made to cancel if the target endpoint is not compliant. |
What the 'FixMSA.ps1' Script does
Running the script will
-
- Without any parameters
- (ex: PS> .\FixMSA.ps1)
- Will create an Managed Service Account with the name QPass######## where the ## symbols refer to the date/time that the PowerShell script was ran
- With a specified Managed Service Account name
- (ex PS> .\FixMSA.ps1 SpecificAcct) (the name of the account must be between 8 and 15 characters long)
- Will create an Managed Service Account with the name specified
- NOTE: Each Domain Controller MUST have a different Managed Service Account name
- Add the Managed Service Account to the "Managed Service Account Container" in the OU Structure if it exists or the "Users" Container if it does not
- Add a Description to the Account to indicate that this was Manually created for use with Quickpass on the Domain Controller name.
-
Add the Created Managed Service Account to the Domain Admins Group
- This is required to ensure that password changes for other Administrator Accounts have sufficient privileges.
- Update the Registry on the Domain Controller so that future Quickpass Agent updates know the Managed Service Account name and to use the Managed Service Account in the future.
- Stop the Quickpass Service, update the account name to run the service, Start the Quickpass Service.
- Without any parameters
Additional Considerations
- If the Domain has a Policy that limits Domain Admin Membership ensure that you add the new Managed Service Account to that Policy to ensure the account remains a member of the Group
-
If the Domain has a Policy that limits which accounts are used to Log On as a Service, update that account list to include the new Managed Service Account.
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service.
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service.
Comments
0 comments
Please sign in to leave a comment.