Skip to main content

Change Quickpass Service Account: Local System to MSA

  • Updated

Situation

The Quickpass Agent on a Domain Controller was originally installed with Local System to run the Quickpass Service and you want to change to Managed Service Account (MSA)

  1. "Local System" account may not have sufficient privileges to Read/Write to Active Directory.
  2. In order to have increased visibility to Security Audit logs to determine what actions are performed by the Quickpass Agent.

 

Implementation

  1. Download the attached FixMSA PowerShell Script, or directly here - Fix Quickpass Service MSA.ps1
  2. Run this on the Domain Controller(s) in question, using PowerShell AS ADMINISTRATOR
    • Run this on any Domain Controller that were installed using the Local System account
      • NOTE: You must run the script ON each Domain Controller (an MSA is specific per DC - you cannot run this from a DC to apply to another DC)
Looking to deploy this through your RMM tool? See below!

 

Articles for RMM Deployment Steps

Can't find your RMM tool above?

We will be publishing documents for more RMM tools soon. In the meantime, you may run this modified PowerShell script against your machines using your preferred RMM tool

FixMSA - RMM.ps1 

 

NOTE: The 'FixMSA - RMM.ps1' script will only  complete if the target endpoint is a domain controller running the Quickpass Server Agent service as a Local System. Checks are made to cancel if the target endpoint is not compliant.

 

What the 'Fix Quickpass Service MSA.ps1' Script does

This script creates a Group Managed Service Account (gMSA) in Active Directory and configures the Quickpass Agent service to run under it. Run it directly on the Domain Controller where the Quickpass Agent is installed.

MSA Naming

This script has no command-line parameters. The MSA name is controlled by the $msamanual variable near the top of the script:

  • Leave $msamanual as $null (default) — the script auto-generates a name in the format QPassYYMMDDhmss, truncated with the DC hostname to a maximum of 15 characters (e.g., QPass260331DC01).
  • Set $msamanual to a custom name — the script uses that value. Must be between 8 and 15 characters; the script will exit with an error if the name is out of range.

Note: Each Domain Controller must use a unique MSA name.

What the script does, step by step:

  1. Checks for a KDS Root Key — Creates one if missing, then waits for AD replication before continuing.

  2. Creates the gMSA — Added to the Managed Service Accounts container (or Users as a fallback), with a description identifying it as a manually created Quickpass account.

    ⚠️ New: Kerberos encryption is now enforced to AES256.

  3. Grants the DC permission to retrieve the managed password — Allows the local DC computer account to use the gMSA.
  4. Adds the gMSA to Domain Admins — Required for the Quickpass Agent to manage administrator account passwords.
  5. Stops the Quickpass Agent service — Waits up to 60 seconds for a clean stop before proceeding.
  6. Updates the service logon account — Reconfigures the Quickpass Agent service to run as the new gMSA.
  7. Updates the registry — Records the gMSA name and enables MSA mode for the Quickpass Agent. If this step fails, the script rolls back the service account change automatically.
  8. Starts the Quickpass Agent service.

Additional Considerations

  1. If the Domain has a Policy that limits Domain Admin Membership ensure that you add the new Managed Service Account to that Policy to ensure the account remains a member of the Group
  2. If the Domain has a Policy that limits which accounts are used to Log On as a Service, update that account list to include the new Managed Service Account.
    1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service.
       

Related articles

Comments

0 comments

Please sign in to leave a comment.