PowerShell Commands for the UVMSQL Appliance
This section contains a sample of PowerShell commands that could be used to prepare the OU, security groups, and Group Managed Service Accounts (gMSAs). This instruction assumes the following:
| Domain | UVMLAND.LOCAL |
| OU | UVMSQL.CLUSTER |
| Server security group | UVMServerGroup |
| Service account security group | UVMSvcAcctGroup |
| Group Managed Service Account | UVMSvcAccount |
Create an Organizational Unit (OU) for the UVMSQL Appliances
New-ADOrganizationalUnit -Name "CLUSTER" -Path "OU=UVMSQL,DC=UVMLAND,DC=LOCAL"
Block Inheritance for the OU
Set-GPinheritance -Target "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -IsBlocked Yes
Create a Security Group for the UVMSQL Appliance Servers in the OU
New-ADGroup -Name "UVMServerGroup" -SamAccountName UVMServerGroup -GroupCategory Security -GroupScope Global -DisplayName "UVMSQL Appliance Servers" -Path "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -Description "Members of this group are UVMSQL Appliances"
Create a Security Group for the UVMSQL Appliance Service Accounts in the OU
New-ADGroup -Name "UVMSvcAcctGroup" -SamAccountName UVMSvcAcctGroup -GroupCategory Security -GroupScope Global -DisplayName "UVMSQL Appliance Service Accounts" -Path "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -Description "Members of this group are UVMSQL Appliance Service Accounts"
Create the KDS Root Key if One Is Not Already Created for the Forest
This is required for creating gMSAs. The EffectiveImmediately argument takes about ten hours to create and propagate the key.
Import-Module ActiveDirectory Add-KdsRootKey -EffectiveImmediately
or
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10)) //to use immediately
Create the Group Managed Service Account (gMSA) giving the UVMSQL Appliance Servers security group permission to retrieve the managed password
New-ADServiceAccount -Name UVMSvcAccount -DnsHostName UVMSvcAccount.UVMLAND.LOCAL -PrincipalsAllowedToRetrieveManagedPassword "UVMServerGroup"
Add the gMSA to the UVMSQL Appliance Service Accounts Security Group
Add-ADGroupMember -Identity UVMSvcAcctGroup -Members "CN=UVMSvcAccount,CN=Managed Service Accounts,DC=UVMLAND,DC=LOCAL"
Give the UVMSQL Appliance Service Accounts Group Full Control of the UVMSQL Appliance OU
$ou = "AD:\OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL"
$group = Get-ADGroup UVMSvcAcctGroup
$group_sid = New-Object System.Security.Principal.SecurityIdentifier $group.SID
$ou_acl = Get-Acl $ou
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $group_sid, "GenericAll", "Allow"
$ou_acl.AddAccessRule($ace)
Set-Acl -AclObject $ou_acl $ou
