gMSA provisioning: edsvaPrincipalsAllowedToRetrieveManagedPassword not returning computer objects in Web-UI

Hi guys,

I'm trying to configure a gMSA provisioning workflow in ARS 6.9 and came across some strange behavior. When you try to specify the computers and groups the gMSA will be used on (edsvaPrincipalsAllowedToRetrieveManagedPassword), the web interface search will only return users/groups but no computers. When you use the MMC to configure that attribute, it will work properly and also show computer objects.

So in this case, if you don't want to use the console, you would always have to specify a group and could not just add one single computer.

Is this a bug in the Web UI or am I missing something here?

Big thanks in advance,

  • Sounds like there could be an issue with the query behind the web UI page. No harm in opening a Support ticket to be sure about that.

    You mention "workflow" - did you mean this in the generic sense of "process" or an actual ActiveRoles workflow? Only reason I ask is because even if there is a GUI limitation in the Web UI, using an AR workflow behind the scenes, you could probably get around it.
  • In reply to JohnnyQuest:

    Thanks for the quick reply,

    I'll open a ticket.

    We have created an ARS site where IT-guys can provising different kinds of accounts (real users, consultants, service- / test-accounts etc.) the gMSA will be added there, so I actually meant "provisioning process". :)

  • Just to follow up here: this actually is a bug in the web-interface and currently getting fixed...
  • In reply to jochen:

    Hello Jochen,

    Did you get an answer?
    I have the same problem, that I can't add any computer objects to a gMSA from the Web interface.
    Thank you.