If you want to run your EmpowerID services and app pools as group managed service accounts (gMSA), this topic provides details on how to configure your domain controller,
SQL Server, and the computers where you run the service. For more information about such service accounts, see Microsoft's gMSA Overview topic.To run the script, you must first open PowerShell as administrator. Otherwise, the script fails. |
ServerList — The servers you use for EmpowerID (SQL, DC, computers where you run the service as a service account) each followed by a dollar sign (e.g. sql02$, prod-dc01$, my-server$)
If you run the script, it asks for each server individually, or you can use the command below. You can enter as many servers as you need. If you are entering them individually, it will continue until you press Enter without entering a value. |
You can run the file in PowerShell, and it will prompt you for parameter values, or you can enter the following command in PowerShell, replacing the parameter values with your own:
.\GMSA_CreateAccount.ps1 -ServiceAccountName MYgMSAccount -DNSHostName MYaddomain.com -ServerList MY-dc01$, MY-eid$, MYsql02$ |
Next, give your Group Managed Service Account access to the SQL database.
On each machine where you want to run the service, download the script below to install your new Group Managed Service Account.
To run the script, you must first open PowerShell as administrator. Otherwise, the script fails. |
Supply your ServiceAccountName when prompted, or use the following command to run the script, replacing kimgMSA with your account.
.\GMSA_Install-ADServiceAccount.ps1 -ServiceAccountName kimgMSA |
Download the following script onto your EmpowerID machine.
To run the script, you must first open PowerShell as administrator. Otherwise, the script fails. |
When prompted, supply your DNS Host and gMSA account followed by the dollar sign, e.g. addomain\kimgMSA$, or use the following command to run the script, replacing addomain and kimgMSA with your DNS and account name.
.\ EID_SetAppPoolIdentity.ps1 -Account addomain\kimgMSA$ |
|
|