List current Principals in group Managed Service Accounts

active-directory powershell

Solution 1:

It turns out that you can list all the properties for gMSA by running:

Get-ADServiceAccount -Identity <gMSA-account> -Properties *

And if you want to narrow down the list you can use:

Get-ADServiceAccount -Identity <gMSA-account> -Properties PrincipalsAllowedToRetrieveManagedPassword

It's not very readable, since it's a list of distinguished names and has several other properties listed, but it's a useful command.

Update: to show all the entries from this properties you can use this command, which is shorter and easier to handle that what @Gregory posted

(Get-ADServiceAccount -Identity <gMSA-account> -Properties *).PrincipalsAllowedToRetrieveManagedPassword

You can select specific property, instead of the wildcard *, to decrease the data flowing over the network, but the line becomes prohibitively long due to the verbose name of the property.

Solution 2:

If the list of Principals includes an ellipsis (…), then you will need a foreach loop to get the full list:
Get-ADServiceAccount -Identity <gMSA-account> -Properties PrincipalsAllowedToRetrieveManagedPassword | select PrincipalsAllowedToRetrieveManagedPassword | ForEach-Object { $_.PrincipalsAllowedToRetrieveManagedPassword }

Related

Best parameters for ext4 filesystem for storing virtualbox disk images
Use acl in backend / shrink my config
ZPOOL replace defective disk in exported pool
Enforcing apt-get version continuity on Ubuntu
How can I measure complex I/O activity to develop realistic benchmarking? [closed]
Can I use the GroupPolicy PowerShell module on non-AD standalone servers?
Nginx: rewriting https:// to http://
Multiple users, Multiple servers, SSH key management
ESXi v5.5 is having random crashes
htaccess order Deny,Allow rule
Is enabling MySQL query_cache_size Innodb Lock Safe?
Error: iptables: No chain/target/match by that name [duplicate]