Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Defender for Identity

Task 1.5: Create and manage groups

Create the gMSA:

  1. In the PowerShell window, run the following command to set the variables:

     $gMSA_AccountName = 'mdiSvc01'
 $gMSA_HostsGroupName = 'mdiSvc01Group'
 $gMSA_HostNames = 'DC01'

  2. Import the required PowerShell module by entering the following command

     Import-Module ActiveDirectory

  3. Create the group and add the members. Use the built-in ‘Domain Controllers’ group if the environment is a single forest, and will contain only domain controller sensors

     $gMSA_HostsGroup = New-ADGroup -Name $gMSA_HostsGroupName -GroupScope Global -PassThru
 $gMSA_HostNames | ForEach-Object { Get-ADComputer -Identity $_ } | ForEach-Object { Add-ADGroupMember -Identity $gMSA_HostsGroupName -Members $_ }

  4. Set up the KDS root key for gMSA management and create the gMSA:

     Add-kdsRootKey -EffectiveTime ((get-date).AddHours(-10))
 New-ADServiceAccount -Name $gMSA_AccountName -DNSHostName "$gMSA_AccountName.$env:USERDNSDOMAIN" -PrincipalsAllowedToRetrieveManagedPassword $gMSA_HostsGroupName

  5. To verify that the service account was created successfully, go to Active Directory Users and Computers.

  6. In the left navigation area, expand Managed Service Accounts. Check that the mdiSvc01 service account has been created.

  7. Grant required gMSA permissions. Declare the identity for which you want to add read access to the deleted objects container by entering

     $Identity = 'mdiSvc01'

  8. If the identity is a gMSA, first create a group and add the gMSA to it:

     $groupName = 'mdiUsr01Group'
 $groupDescription = 'Members of this group are allowed to read the objects in the Deleted Objects container in AD'
 if(Get-ADServiceAccount -Identity $Identity -ErrorAction SilentlyContinue) {
     $groupParams = @{
         Name           = $groupName        
         SamAccountName = $groupName        
         DisplayName    = $groupName        
         GroupCategory  = 'Security'
         GroupScope     = 'Universal'
         Description    = $groupDescription
     }
     $group = New-ADGroup @groupParams -PassThru
     Add-ADGroupMember -Identity $group -Members ('{0}$' -f $Identity)
     $Identity = $group.Name
 }

  9. Get the deleted objects container’s distinguished name:

     $distinguishedName = ([adsi]'').distinguishedName.Value
 $deletedObjectsDN = 'CN=Deleted Objects,{0}' -f $distinguishedName

  10. Specify the value for $params for the container

     $params = @("$deletedObjectsDN", '/takeOwnership')

  11. Grant the ‘List Contents’ and ‘Read Property’ permissions to the user or group:

     $params = @("$deletedObjectsDN", '/takeOwnership')
 C:\Windows\System32\dsacls.exe $params 
 $params = @("$deletedObjectsDN", '/G', ('{0}\{1}:LCRP' -f ([adsi]'').name.Value, $Identity))
 C:\Windows\System32\dsacls.exe $params