PowerShell Commands for the UVMSQL Appliance

This section contains a sample of PowerShell commands that could be used to prepare the OU, security groups, and Group Managed Service Accounts (gMSAs). This instruction assumes the following:

Server security group UVMServerGroup
Service account security group UVMSvcAcctGroup
Group Managed Service Account UVMSvcAccount

Create an Organizational Unit (OU) for the UVMSQL Appliances

New-ADOrganizationalUnit -Name "CLUSTER" -Path "OU=UVMSQL,DC=UVMLAND,DC=LOCAL"

Block Inheritance for the OU

Set-GPinheritance -Target "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -IsBlocked Yes

Create a Security Group for the UVMSQL Appliance Servers in the OU

New-ADGroup -Name "UVMServerGroup" -SamAccountName UVMServerGroup -GroupCategory Security -GroupScope Global -DisplayName "UVMSQL Appliance Servers" -Path "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -Description "Members of this group are UVMSQL Appliances"

Create a Security Group for the UVMSQL Appliance Service Accounts in the OU

New-ADGroup -Name "UVMSvcAcctGroup" -SamAccountName UVMSvcAcctGroup -GroupCategory Security -GroupScope Global -DisplayName "UVMSQL Appliance Service Accounts" -Path "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -Description "Members of this group are UVMSQL Appliance Service Accounts"

Create the KDS Root Key if One Is Not Already Created for the Forest

This is required for creating gMSAs. The EffectiveImmediately argument takes about ten hours to create and propagate the key.

Import-Module ActiveDirectory
Add-KdsRootKey -EffectiveImmediately


Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10)) //to use immediately

Create the Group Managed Service Account (gMSA) giving the UVMSQL Appliance Servers security group permission to retrieve the managed password

New-ADServiceAccount -Name UVMSvcAccount -DnsHostName UVMSvcAccount.UVMLAND.LOCAL -PrincipalsAllowedToRetrieveManagedPassword "UVMServerGroup"

Add the gMSA to the UVMSQL Appliance Service Accounts Security Group

Add-ADGroupMember -Identity UVMSvcAcctGroup -Members "CN=UVMSvcAccount,CN=Managed Service Accounts,DC=UVMLAND,DC=LOCAL"

Give the UVMSQL Appliance Service Accounts Group Gull Control of the UVMSQL Appliance OU

$group = Get-ADGroup UVMSvcAcctGroup
$group_sid = New-Object System.Security.Principal.SecurityIdentifier $group.SID
$ou_acl = Get-Acl $ou
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $group_sid, "GenericAll", "Allow"
Set-Acl -AclObject $ou_acl $ou