Possible to configure gMSA RunAs Account?

I’m looking to configure a RunAs account to use a locally installed gMSA, but PSU is not running as that gMSA. Typically, when you use a gMSA, you don’t specify a password, since the machine will retrieve that password automatically. But when I try to create a PSCredential secret with the gMSA name and an empty password, the secret fails to store to the vault (tried several different storage locations).

Is this not supported, or am I missing something?

This is more a limitation of the SecretManagement module in regards to its extendable vaults. The computer has access to retrieve the password, but it’s not some kind of automagic, to use the gMSA you need to invoke the proper API’s in order to get the secret.

For example even the built-in Windows credential provider doesn’t just support inputting a blank password because you’re specifying a gMSA, but other components like the Service Manager do.

I vaguely recall there being a discussion in the PowerShell community where people from the PowerShell team basically said it wasn’t part of the built-in modules but that it could potentially be added by third-parties in a custom vault module. But I don’t think it was ever made, or if it’s actually possible.

Granted it would be a great feature if it came to PSU, whether possible through the SecretManagement/Vault system or otherwise baked into PSU.

1 Like