I have created a Group Managed Service Account in an AWS Managed Active Directory. I am currently logged in on an EC2 instance as a the Admin user.
When I run Get-AdServiceAccount -Identity GMSA_NAME -Properties PrincipalsAllowedToRetrieveManagedPassword
, the PrincipalsAllowedToRetrieveManagedPassword row has Admin with the correct domain information.
When I run Test-ADServiceAccount -Identity GMSA_NAME
the test results in the following error
WARNING: Test failed for Managed Service Account GMSA_NAME. If standalone Managed Service Account, the account is linked to another computer object in the
Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all th
e Kerberos encryption types required for the gMSA. See the MSA operational log for more information.
I've tried creating a group, adding Admin to that group and adding it as the Principal which can retrieve the password, but I get the same result. I have only been able to find one forum with this error and the answer simply says to make sure the account is in the PrincipalsAllowed... list. Could this be an issue with the DNSHostName? I can't think of any other possible issues.
The Computer Account needs to be a member of the group, not the username you are logging in as.