First get the list of gMSAs from AD:<\/p>\n
$gMSAlist = Get-ADServiceAccount -filter {samAccountName -like \"*\"}<\/pre>\nSecond Determine the systems allowed to use them:<\/p>\n
ForEach ($gMSA in $gMSAlist) {(Get-ADServiceAccount $gMSA -properties *).PrincipalsAllowedToRetrieveManagedPassword}<\/pre>\nYay, we know who can use these accounts… but ARE they currently using it. If this returns a Group, look to see the systems in this group, else just access the system in question.<\/p>\n
Third, verify the account is in use by listing all the services on the system and the accounts used to run them:<\/p>\n
Get-Service | Select -ExpandProperty Name | ForEach{(Get-WmiObject Win32_Service -Filter \"Name='$_'\") | Select Name, StartName}<\/pre>\nThe above command simply lists out all the services and the account they run under, it’s not optimal as it is slow, but it gets it all, and if you need a more readable version pipe it into Output-CSV, or apply a more granular filter on the result for the gMSAs in question.<\/p>\n
That’s about it, if you don’t see the gMSA listed on any service on the target machine, it’s rather safe to assume that the gMSA is not in use and can be safely removed from AD.<\/p>\n
Remove-ADServiceAccount gMSAToBeRemoved<\/pre>\n","protected":false},"excerpt":{"rendered":"First get the list of gMSAs from AD: $gMSAlist = Get-ADServiceAccount -filter {samAccountName -like “*”} Second Determine the systems allowed to use them: ForEach ($gMSA in $gMSAlist) {(Get-ADServiceAccount $gMSA -properties *).PrincipalsAllowedToRetrieveManagedPassword} Yay, we know who can use these accounts… but ARE they currently using it. If this returns a Group, look to see the systems … <\/p>\n