Running AGPM service using a managed service account instead of a regular user. To my knowledge it is not officially supported but certainly possible.

I will assume that you have an managed service account and a temporary service account user and password to use for the installation.

  • Assign both the MSA and the service account user logon as service on the AGPM Server
  • Install AGPM using the service account user
  • Transfer the SPN of the service account user to the MSA
    • Get the SPN: setspn -l <user>
    • Delete the SPN setspn -D AgpmServer/<server dns name>/<domain dns name> <user>
    • Add the SPN setspn -A AgpmServer/<server dns name>/<domain dns name> <msa>
  • Make sure that the MSA has full access to C:\ProgramData\Microsoft\AGPM and %windir%\temp
  • Give the required access to the MSA
    • GPOs
    • Root of each domain
    • Group Policy Creator Owners
    • Backup Operators
    • Any other permissions that’s required for AGPM to work in your environment
  • Change the AGPM service to use the MSA (leave the password blank)
  • Remove the temporary service account user
  • Remove logon as a service for the service account user
<
Previous Post
AGPM - There is no such object on the server
>
Next Post
Nested for loops in Bicep