I have automation script which performs following actions:
Create gMSA account, and specify computer to retrieve password
On computer which can retreive password, run script and grant "LogOnAsService" to gMSA account
Set WalletService service identity to newly created gMSA account (WalletService is used for testing)
sc.exe config WalletService type= own obj= "DOMAIN\gMSA03$"
Note: if I specify empty passord, sc.exe execution fails.
Restart WalletService service
Problem starts here, service does not start due to Logon failure. I open Local GPO Editor and see that gMSA account has been granted LogonAsService permission. Then I open Services applet and set Identity of service to Local System, apply changes. And go back and change identity of service to gMSA account used just before. When I click OK, I do not get dialog "LogonAsService permission was granted to gMSA account", because it was already there.
Now service starts. Computer is able to retreive managed account password.
What other action is performed by services applet and gMSA account can retreive password from domain controler (what I did not do in script)?
There is a need to call second time sc.exe and set managedaccount.
managedaccount Changes whether the account in which the service runs uses a managed password.
If this setting is "true", the SCM will request the account password from NetLogon when starting the service.
If this setting is "false", the SCM will use the configured account password.
Usage:sc managedaccount [service name] <true|false>
To verify is settings correct, run
sc qmanagedaccount [service name]
Batch file does 4 steps:
sc.exe - set service identity
sc.exe - query managedaccount
sc.exe - set managedaccount
sc.exe - query managedaccount again, should print changed status