kewalaka · March 21, 2021 22:31
diff --git a/CreateGMSAandKerberosDelegation.ps1 b/CreateGMSAandKerberosDelegation.ps1
 # this stuff corresponds to my lab, I don't care that the info is public :)

 # this group contains the service accounts that can read the gMSA password
 # creating a group is optional.
 $GroupToReadPassword = (Get-ADGroup g-labsql03)

 $params = @{
    Name                                       = 'gmsaSQL03'
    DNSHostName                                = 'gmsaSQL03.kewalaka.nz'
    Description                                = 'this is not an awesome description'
    Path                                       = 'OU=ServiceAccounts,OU=Inf,DC=ad,DC=kewalaka,DC=nz'
    # optionally specify a service account or a list @('account1','account2') 
    PrincipalsAllowedToRetrieveManagedPassword = $GroupToReadPassword
    Enabled                                    = $true
 }

 New-ADServiceAccount @params
 # add the service account so it can read the password
 $GroupToReadPassword | Add-ADGroupMember -Members 's-labsql03-dbe'

 # setting up delegation
 # we're going to use resource based constrained delegation
 #
 # this is an alternative way to doing it in AD using traditional constrained delegation
 # nice thing about this is the application team can typically do it instead of it needing a D.A or equivalent.
 #
 # don't use unconstrained delegation, a unicorn cries when you do. 
 # only AD controllers should use unconstrained delegation.

 # this could be done by passing in ServicePrincipalName to the request to the "New-" cmdlets earlier too
 # but illustrating using good ol' setspn:
 setspn -S MSSQLSvc/labsql03.ad.kewalaka.nz:1433 gmsaSQL03$ 

 # then, to use resource based constrained delegation:
 # we need a group that will contain the accounts that the backend will accept delegation from
 # again could be specified as a list directly to the account, but a group makes it easier to support.
 $params = @{
    Name          = 'g-LABSQL03-delegs'
    Description   = 'SQL03 will accept delegation from this group'
    Path          = 'OU=Groups,OU=Inf,DC=ad,DC=kewalaka,DC=nz'
    GroupScope    = 'DomainLocal'
    GRoupCategory = 'Security'
 }

 New-ADGroup @params

 # now add this new group to the GMSA
 $ADgroupDelegationFrom = Get-ADGroup $params.Name
 $ADgroupDelegationFrom | Add-ADGroupMember -Members 's-iisapppool'
 Set-ADServiceAccount 'gmsaSQL03$' -PrincipalsAllowedToDelegateToAccount $ADgroupDelegationFrom
	# this stuff corresponds to my lab, I don't care that the info is public :)

	# this group contains the service accounts that can read the gMSA password
	# creating a group is optional.
	$GroupToReadPassword = (Get-ADGroup g-labsql03)

	$params = @{
	Name = 'gmsaSQL03'
	DNSHostName = 'gmsaSQL03.kewalaka.nz'
	Description = 'this is not an awesome description'
	Path = 'OU=ServiceAccounts,OU=Inf,DC=ad,DC=kewalaka,DC=nz'
	# optionally specify a service account or a list @('account1','account2')
	PrincipalsAllowedToRetrieveManagedPassword = $GroupToReadPassword
	Enabled = $true
	}

	New-ADServiceAccount @params
	# add the service account so it can read the password
	$GroupToReadPassword \| Add-ADGroupMember -Members 's-labsql03-dbe'

	# setting up delegation
	# we're going to use resource based constrained delegation
	#
	# this is an alternative way to doing it in AD using traditional constrained delegation
	# nice thing about this is the application team can typically do it instead of it needing a D.A or equivalent.
	#
	# don't use unconstrained delegation, a unicorn cries when you do.
	# only AD controllers should use unconstrained delegation.

	# this could be done by passing in ServicePrincipalName to the request to the "New-" cmdlets earlier too
	# but illustrating using good ol' setspn:
	setspn -S MSSQLSvc/labsql03.ad.kewalaka.nz:1433 gmsaSQL03$

	# then, to use resource based constrained delegation:
	# we need a group that will contain the accounts that the backend will accept delegation from
	# again could be specified as a list directly to the account, but a group makes it easier to support.
	$params = @{
	Name = 'g-LABSQL03-delegs'
	Description = 'SQL03 will accept delegation from this group'
	Path = 'OU=Groups,OU=Inf,DC=ad,DC=kewalaka,DC=nz'
	GroupScope = 'DomainLocal'
	GRoupCategory = 'Security'
	}

	New-ADGroup @params

	# now add this new group to the GMSA
	$ADgroupDelegationFrom = Get-ADGroup $params.Name
	$ADgroupDelegationFrom \| Add-ADGroupMember -Members 's-iisapppool'
	Set-ADServiceAccount 'gmsaSQL03$' -PrincipalsAllowedToDelegateToAccount $ADgroupDelegationFrom
No results found