I collected bits and pieces of code about gMSA accout password. There are few articles mentioning how to get password but none of articles verifies fetched password. I created new GMSA account and specified my user and computer when I run script as -PrincipalsAllowedToRetrieveManagedPassword. I fetch password, convert it and try to start cmd.exe as elevated user. I got error:
Start-Process : This command cannot be run due to the error: The user name or password is incorrect.
Starting process as another local user, works, no problem in code. Here is code:
$username = "gTest01";
$gmsa = Get-ADServiceAccount -Identity $username -Properties 'msDS-ManagedPassword';
$mp = $gmsa.'msDS-ManagedPassword';
($mp | ForEach-Object ToString X2) -join ' ';
# Decode the data structure using the DSInternals module. Returns DSInternals.Common.Data.ManagedPassword object
$managedPasswordObj = ConvertFrom-ADManagedPasswordBlob $mp;
# Get credentials object
$sspwd = ConvertTo-SecureString $managedPasswordObj.CurrentPassword -AsPlainText -Force;
$startWithElevatedRights = "cmd.exe";
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username, $sspwd);
$ps = Start-Process -PassThru -FilePath powershell -Credential $credentials -ArgumentList '-noprofile -command &{Start-Process ', $startWithElevatedRights, ' -Wait -verb runas}'
What is wrong with code?
I found answer. Problem is with username. GMSA users are domain accounts and domain must be specified as part of user name "domain\user".
Creating interactive process fails with error "Logon failure: the user has not been granted the requested logon type at this computer".
It is different problem.