2

Is it possible to use the New-Service command to create a service using a gMSA account? I tried creating the credentials with a blank password but it fails because ConvertTo-SecureString expects the string to not be empty.

$password = ConvertTo-SecureString "" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("DOMAIN\dev-user$", $password)
New-Service -Name Service -BinaryPathName C:\Service -StartupType Automatic -Credential $credential
Start-Service -Name "Service"

I then tried setting the string to just a to see if it even cared about the password since this is a gMSA account and I got this error.

New-Service : Service '(Service)' cannot be created due to the following error: The account name is invalid or does not exist, or the password is invalid for the account name specified

EDIT: I know there are other ways I could accomplish this like Wmi-Object or sc.exe but I wanted to see if there was a means to do this via New-Service just to see if I am missing something or doing something wrong.

Max Young
  • 1,522
  • 1
  • 16
  • 42
  • Does this help? https://stackoverflow.com/a/64275849/15339544 – Santiago Squarzon Oct 31 '22 at 18:52
  • @SantiagoSquarzon trying to see if this can be done without WMI using the New-Service command. I know I could also do this with sc.exe but was hoping for a definitive answer on if there is a way to make the New-Service command work with gMSA accounts. – Max Young Oct 31 '22 at 20:31
  • I'm not sure Windows allow you to create the service using the gMSA, I think you need to create it first using a service account or the same logged on account and then update the service to use the gMSA which is what the linked answer I posted is doing – Santiago Squarzon Oct 31 '22 at 22:48
  • @SantiagoSquarzon I found a means to do it locally though not sure this works with older versions of powershell/windows. – Max Young Nov 01 '22 at 14:23

1 Answers1

1

I found an answer for how to make a new blank SecureString and this worked

$credential = New-Object System.Management.Automation.PSCredential("DOMAIN\dev-user$", (New-Object System.Security.SecureString))
New-Service -Name Service -BinaryPathName C:\Service -StartupType Automatic -Credential $credential
Start-Service -Name "Service"

This answer assisted me in figuring out how to do this.

EDIT: Wanted to add this did not working on 2012r2 but worked on Windows 10 and 2016

Max Young
  • 1,522
  • 1
  • 16
  • 42
  • nice finding! glad it worked – Santiago Squarzon Nov 01 '22 at 14:23
  • 1
    This didn't work for me on Windows Server 2022, failing with the following error: New-Service : Service 'ServiceDisplayName (ServiceShortName)' cannot be created due to the following error: The account name is invalid or does not exist, or the password is invalid for the account name specified – jproch Nov 17 '22 at 21:55
  • I was able to do so in 2 steps: `New-Service ... | Set-Service -Credential $credential` – riezebosch Aug 24 '23 at 08:51