Exam AZ-800 topic 1 question 47 discussion

It should be New-ADServiceAccount and -PrincipalsAllowedToRetrieveManagedPassword

Example to Create gMSA account : New-ADServiceAccount -Name "Account1" -DNSHostName "Account1.YourDomain.com" -PrincipalsAllowedToRetrieveManagedPassword "Group1" -Path "OU=CustomOU,DC=YourDomain,DC=com"

A opção PrincipalsAllowedToDelegateToAccount é usada para especificar quais principais (usuários ou grupos) têm permissão para delegar a conta de serviço gerenciada (gMSA) a outros serviços ou contas. Isso é diferente de PrincipalsAllowedToRetrieveManagedPassword, que define quais principais podem recuperar a senha gerenciada da gMSA. No seu caso, se o objetivo é permitir que Group1 use a gMSA Account1, a opção correta é PrincipalsAllowedToRetrieveManagedPassword, pois isso garante que os membros do grupo possam acessar a senha gerenciada necessária para autenticar e usar a conta de serviço. Se você precisar que Group1 delegue a gMSA a outros serviços, então você usaria PrincipalsAllowedToDelegateToAccount.

New-ADServiceAccount & -PrincipalsAllowedToRetrieveManagedPassword It's not -PrincipalsAllowedToDelegateToAccount because this is used when setting up delegation, which is not required here. We are needing to focus on which principals can use the gMSA. Since group 1 needs to use the the gMSA, we use -PrincipalsAllowedToRetrieveManagedPassword

New-ADServiceAccount -Name "Account1" -PrincipalsAllowedToRetrieveManagedPassword "Group1" -Path "OU=CustomOU,DC=YourDomain,DC=com"

New-ADServiceAccount and -PrincipalsAllowedToRetrieveManagedPassword

It should be: New-ADServiceAccount -Name "Account1" -DNSHostName "web.contoso.com" -PrincipalsAllowedToDelegateToAccount "Group1"

New-ADServiceAccount -PrincipalsAllowedToDelegateToAccount https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount?view=windowsserver2022-ps#-principalsallowedtodelegatetoaccount https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation

The answer should be New-ADServiceAccount -Name "Account1" -DNSHostName "website.contoso.com" -PrincipalsAllowedToRetrieveManagedPassword "Group1" Ref: https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts#use-case-for-creating-gmsa-account-for-non-domain-joined-container-hosts

New-ADServiceAccount -Name "Account1" -DNSHostName "website.contoso.com" -PrincipalsAllowedToRetrieveManagedPassword "Group1" This option specifies that "Group1" is allowed to retrieve the managed password for "Account1." While it doesn't explicitly mention allowing "Group1" to use "Account1" for service operations, it does grant permission for retrieving the password, which may indirectly allow for its use in certain scenarios.