• App Control Server: 8.10.0 and Higher
• SQL Server Standard: All Supported Versions
• SQL Server Enterprise: All Supported Versions

1. Use PowerShell to update the principals allowed to retrieve the password for the gMSA user, and add the App Control computer account, e.g:

   Set-ADServiceAccount -Identity gsmaaccount$ -PrincipalsAllowedToRetrieveManagedPassword appcserveraccount$

   • If error "Set-ADServiceAccount is not recognized as the name of a cmdlet" is displayed, please install the PowerShell AD tools:

     Install-WindowsFeature RSAT-AD-PowerShell

2. Verify the principals allowed to retrieve the password:

   Get-ADServiceAccount -Identity gmsa1$ -Properties PrincipalsAllowedToRetrieveManagedPassword
   DistinguishedName                          : CN=gmsa1,CN=Managed Service
   Name                                       : gmsa1
   PrincipalsAllowedToRetrieveManagedPassword : {CN=APPCSERVERACCOUNT,CN=Computers,DC=Example,DC=com}
   ...
   

3. Install the gMSA onto the App Control system e.g:

   Install-ADServiceAccount gmsa1$

4. Verify the gMSA has been installed on the App C system:

   Test-ADServiceAccount gmsa1$
   True

5. Add the gMSA to the Local Administrators group on the App C system:

   Add-LocalGroupMember -Group "Administrators" -Member gmsa1$
   

   • Verify the gMSA is a member of the Local Administrators:

     Get-LocalGroupMember -Group "Administrators"
     User        EXAMPLE\gmsa1$        ActiveDirectory

6. Verify the gMSA user has the required SQL Server permissions, including the Role SYSADMIN.
7. The App Control Server application can now be used with a Group Managed Service Account
8. During server setup specify the account as domain\username$ and leave the password blank

SQL Express does not support the use of a Managed Service Account.