You can use the common commands below to create and use a gMSA for your PowerSyncPro Dirsync Server installation

For detailed gMSA information please reffer to this article Getting Started with Group Managed Service Accounts in Windows Server | Microsoft Learn

Update the highlighted sections according to your environment and setup.

Install AD features on the DC hosting the gMSA

Install-WindowsFeature -Name RSAT-AD-PowerShell
Import-Module ActiveDirectory

Add KDS Key to Active Ddirectory

Add-KDSRootKey -EffectiveTime ((Get-Date).AddHours(-10))

Create gMSA account e.g.

New-ADServiceAccount -Name gMSA-PSP -DNSHostname 'gMSA-PSP.yourdomain.local' -ManagedPasswordIntervalInDays 30 -PrincipalsAllowedToRetrieveManagedPassword "CN=PSPServer,OU=Servers,DC=yourdomain,DC=local" -Enabled $True -PassThru

Check account was created

Get-ADServiceAccount -Filter * | where-object {$_.ObjectClass -eq "msDS-GroupManagedServiceAccount"}

Get-ADServiceAccount gMSA-PSP -Properties * | FL Name, DNSHostName, SamAccountName, PrincipalsAllowedToRetrieveManagedPassword, ObjectCategory

Multiple PSP Servers

If you have multiple PSP Servers i.e. Production and Staging, create an AD Security Group and put the servers in it, then add the Group to PrincipalsAllowedToRetrieveManagedPassword on the gMSA

Set-ADServiceAccount gMSA-PSP -PrincipalsAllowedToRetrieveManagedPassword "CN=PowerSyncProFarm,OU=Servers,DC=yourdomain,DC=local"

Test on Server(s) that needs to use it

Install-ADServiceAccount gMSA-PSP

Test-ADServiceAccount gMSA-PSP

PSP Install

Where prompted at PSP Install screens list the gMSA account in this format:

YOURDOMAIN\gMSA-PSP$

SQL permissions

The gMSA account will need to have permissions to create databases in SQL in your environment. (sa/gbo rights)

Furthermore, for more complex or high security environments, you may need to assign logon rights to SQL for the gMSA account too.