We've noticed lately that more and more customers are adding "cyber insurance" policies to their organization which requires the removal of the account that is used to run the UMRA Windows service from the "domain administrators" group in an effort to add security. The UMRA service requires this group membership to open connections using PowerShell. Creating a Managed Service Account in Active Directory is a way to be able to start a windows service as a domain administrator account that does not have the ability to login interactively. Also the password is very strong and unknown to any user and managed by Active Directory. By default the password is automatically reset every 30 days to a new secure value.
Be sure to run the following steps from your UMRA server PowerShell prompt.
How to Create a Managed Service Account (MSA) in Active Directory
1. To create a new MSA in AD via PowerShell use this command:
New-ADServiceAccount -Name DesiredMSAName –RestrictToSingleComputer
By default, any MSA is created in the container CN=Managed Service Accounts, but you can change the OU using the Path parameter. For security we have the -RestrictToSingleComputer parameter added. This will allow the MSA to only be attached to a single server.
2. Link your MSA service account to the target computer (UMRA Server):
$Identity = Get-ADComputer -identity UMRAServerName;
Add-ADComputerServiceAccount -Identity $identity -ServiceAccount DesiredMSAName
In this context '-Identity' refers to the server name where we would like to use the MSA.
3. To verify the MSA account was created use this command:
Get-ADServiceAccount DesiredMSAName
4. Install the MSA service account on the server:
Install-ADServiceAccount -Identity DesiredMSAName
5. Check if the service account is installed correctly:
Test-ADServiceAccount DesiredMSAName
If the command returns True, everything is configured correctly.
How to Run a Windows Service under a Managed Service Account
You can now configure the required Windows service to run under an MSA.
- Open the service management console (
services.msc); - Right-click and open the properties of the 'UMRA Service' service and go to the “Log On” tab;
- Select the This account radio button and enter the name of the MSA account. Be sure to add the $ symbol at the end of the account name. The format is 'domain\MSAaccount'. You should clear both password values.
- The MSA service account will be automatically granted Log On As a Service permissions; If there is a Group Policy to limit which accounts can login as a service you will need to manually add the MSA to the approved list.
- Repeat steps 2 and 3 for the 'Tools4ever's PowerShell Agent service' windows service.
- In Active Directory Users and Computers add the MSA to the 'Domain Admins' group.
- Back in Services.msc, restart both UMRA Services.
- Close services.msc
That should be everything that is needed to be done. Verify that everything is working correctly by manually starting an automation job in the UMRA console.
How to REMOVE a Managed Service Account
To remove the MSA from the server and the domain run the following commands:
1. Remove-ADServiceAccount -Identity CurrentMSAName
2. Uninstall-ADServiceAccount -Identity CurrentMSAName
If you open services.msc on your server and attempt to change the 'Log On' tab information and the options are grayed out and stuck as your MSA you will need to run the following from an Admin elevated CMD prompt:
3. sc config ServiceNameListedInTaskManager obj= domain\user password= passwordValueOfADAccount
The 'obj=' must have a space between it and the domain\user value.
Be sure to change out:
ServiceNameListedInTaskManager with short service name in task manager,
domain\user with your domain and the username you would like to start the service,
passwordValueOfADAccount with the password of theAD account in the obj value.