How to List PrincipalsAllowedToRetrieveManagedPassword for gMSA Accounts Using PowerShell


2 views

Group Managed Service Accounts (gMSAs) have a critical security property called PrincipalsAllowedToRetrieveManagedPassword that determines which computer accounts or security groups can access the account's password. When troubleshooting authentication issues or auditing security configurations, administrators often need to query this property.

The most reliable way to inspect gMSA properties is through the Active Directory module in PowerShell. Here's the fundamental command:

Get-ADServiceAccount -Identity "gMSA_Name" -Properties PrincipalsAllowedToRetrieveManagedPassword

For better output formatting and processing:

$gMSA = Get-ADServiceAccount -Identity "WebFarmSvc" -Properties PrincipalsAllowedToRetrieveManagedPassword
$gMSA.PrincipalsAllowedToRetrieveManagedPassword | ForEach-Object {
    try {
        Get-ADObject $_ -Properties Name | Select-Object Name,ObjectClass
    }
    catch {
        $_
    }
}

When dealing with nested group memberships, you'll need recursive resolution:

function Get-gMSAPrincipals {
    param(
        [string]$gMSAName,
        [switch]$ResolveNested
    )
    
    $account = Get-ADServiceAccount -Identity $gMSAName -Properties PrincipalsAllowedToRetrieveManagedPassword
    $principals = $account.PrincipalsAllowedToRetrieveManagedPassword
    
    foreach ($principal in $principals) {
        $adObject = Get-ADObject $principal -Properties member,ObjectClass
        
        if ($adObject.ObjectClass -eq 'group' -and $ResolveNested) {
            Write-Output "Group: $($adObject.Name)"
            Get-ADGroupMember -Identity $adObject.DistinguishedName -Recursive | 
                Get-ADObject -Properties Name | Select-Object Name,ObjectClass
        }
        else {
            $adObject | Select-Object Name,ObjectClass
        }
    }
}

Error: "Cannot find an object with identity"
Fix: Ensure you have the Active Directory module installed and proper permissions:

Import-Module ActiveDirectory
Get-Module ActiveDirectory

For environments without the AD module:

$gMSA = [ADSI]"LDAP://CN=WebFarmSvc,CN=Managed Service Accounts,DC=domain,DC=com"
$principals = $gMSA.Properties["msDS-GroupMSAMembership"].Value
$principals | ForEach-Object {
    $principal = [ADSI]"LDAP://$_"
    New-Object PSObject -Property @{
        Name = $principal.Name
        Class = $principal.Class
    }
}

When documenting gMSA configurations, include:

  • Timestamp of the query
  • Domain context
  • Full distinguished names of principals
  • Any nested group expansions

Group Managed Service Accounts (gMSA) use the PrincipalsAllowedToRetrieveManagedPassword property to control which computers or groups can access the account password. This security feature is crucial in Active Directory environments, yet many administrators struggle to query this information programmatically.

The most reliable method uses Active Directory PowerShell module:

# First import the AD module
Import-Module ActiveDirectory

# Get gMSA account and display principals
$gmsa = Get-ADServiceAccount -Identity 'Your_gMSA_Name' -Properties PrincipalsAllowedToRetrieveManagedPassword
$gmsa.PrincipalsAllowedToRetrieveManagedPassword

# Alternative with formatted output
Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword |
Where-Object {$_.PrincipalsAllowedToRetrieveManagedPassword} |
Select-Object Name,@{N='Principals';E={$_.PrincipalsAllowedToRetrieveManagedPassword -join ";"}}

For systems without PowerShell 5.1+ or ActiveDirectory module:

$gmsaDN = "CN=Your_gMSA,CN=Managed Service Accounts,DC=domain,DC=com"
$gmsa = [ADSI]"LDAP://$gmsaDN"
$principals = $gmsa.Properties["msDS-GroupMSAMembership"].Value

foreach ($principal in $principals) {
    $principalEntry = [ADSI]"LDAP://$principal"
    Write-Output $principalEntry.Name
}

Error: "Cannot find an object with identity"
Fix: Ensure you're using the full name including the dollar sign ($) for gMSA accounts

Error: "The term 'Get-ADServiceAccount' is not recognized"
Fix: Install RSAT-AD-PowerShell feature or import ActiveDirectory module

Here's a complete script to audit all gMSA permissions in a domain:

$report = @()
$allGMSAs = Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword

foreach ($gmsa in $allGMSAs) {
    if ($gmsa.PrincipalsAllowedToRetrieveManagedPassword) {
        $entry = [PSCustomObject]@{
            gMSAName = $gmsa.Name
            Principals = $gmsa.PrincipalsAllowedToRetrieveManagedPassword -join ", "
            DistinguishedName = $gmsa.DistinguishedName
        }
        $report += $entry
    }
}

$report | Export-Csv -Path "gMSA_Permissions_Audit.csv" -NoTypeInformation
  • Always use security groups rather than individual computer accounts
  • Document changes to gMSA permissions
  • Regularly audit gMSA permissions using scripts like the example above
  • Consider implementing approval workflows for gMSA permission changes