https://live.paloaltonetworks.com/t5/general-topics/gmsa-integration-with-ad2016-creating-computer-account/m-p/208936#M61117 <P>I'm working with our AD admin, and we are trying to replace our DCAdmin account with a service account on our firewall. With AD2016, the MSA/gMSA accounts require that you link the account to a computer object.</P><P>&nbsp;</P><P>I've seen in a couple documents that it eludes to the fact that MSA's can be used, but it doesn't give any information how. What we are wanting to know is, can the PAN firewall create a computer object on the Domain Controller, and how is that done if it can?</P> Thu, 05 Apr 2018 20:58:13 GMT JohPalmer 2018-04-05T20:58:13Z https://live.paloaltonetworks.com/t5/general-topics/gmsa-integration-with-ad2016-creating-computer-account/m-p/208936#M61117 <P>I'm working with our AD admin, and we are trying to replace our DCAdmin account with a service account on our firewall. With AD2016, the MSA/gMSA accounts require that you link the account to a computer object.</P><P>&nbsp;</P><P>I've seen in a couple documents that it eludes to the fact that MSA's can be used, but it doesn't give any information how. What we are wanting to know is, can the PAN firewall create a computer object on the Domain Controller, and how is that done if it can?</P> Thu, 05 Apr 2018 20:58:13 GMT https://live.paloaltonetworks.com/t5/general-topics/gmsa-integration-with-ad2016-creating-computer-account/m-p/208936#M61117 JohPalmer 2018-04-05T20:58:13Z https://live.paloaltonetworks.com/t5/general-topics/gmsa-integration-with-ad2016-creating-computer-account/m-p/209121#M61153 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78672">@JohPalmer</a></P><P>&nbsp;</P><P>In which documents did you find information that this is possible?</P><P>Because I cannot think of a way this is possible, as the service account credentials are static in the firewall configuration and the only way to change these credentials is if you do it manually (or automatically, but this you have to automate by yourself).</P> Sat, 07 Apr 2018 15:36:45 GMT https://live.paloaltonetworks.com/t5/general-topics/gmsa-integration-with-ad2016-creating-computer-account/m-p/209121#M61153 Remo 2018-04-07T15:36:45Z https://live.paloaltonetworks.com/t5/general-topics/gmsa-integration-with-ad2016-creating-computer-account/m-p/209309#M61204 <P>I spoke with PAN TAC on Friday afternoon, and they also confirmed that this isn't an option.&nbsp; We are going with a standard service account for this.</P> Mon, 09 Apr 2018 20:14:18 GMT https://live.paloaltonetworks.com/t5/general-topics/gmsa-integration-with-ad2016-creating-computer-account/m-p/209309#M61204 JohPalmer 2018-04-09T20:14:18Z