Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Batch Management

Using gMSA Accounts for AVEVA Batch Management Services

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Using gMSA Accounts for AVEVA Batch Management Services

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedApr 30, 2025
  • 4 minute read

Managing Service Accounts with Group Policy for Batch Management 13.0

Summary

If customers require centralized management of service accounts for security or operational reasons, they can configure the Batch Management Service to use Group Managed Service Accounts (gMSA).

This is an optional configuration step and may be implemented only if required by the customer's IT policies.

This document provides guidance for customer IT organizations to manage Batch Management service accounts using Active Directory Group Policy (GPO) with Group Managed Service Accounts (gMSA) and then applying this account as the login account for all Batch Management services.

Important:

- The following features will not work with gMSA setup described in this document:
- Batch Management Webclient auto refresh will not work.
- "NT SERVICE\aaPim" VSA must be added to the local machine administrators group in order to deploy the platform in the galaxy. This is from System Platform prerequisite.
- The tasks detailed in this topic are intended to be implemented by Domain and/or Network Administrators only.

Group Managed Service Accounts

Group Managed Service Accounts (gMSAs) have the same purpose as Virtual Service Accounts but are administered as Domain accounts that can be used on multiple computers and for multiple services. AVEVA Technical Support recommends that a separate gMSA be created for each service to allow for more granular management and process isolation. However, depending on the level of process management and isolation required in the given customer environment, a single gMSA can be used for all the services that require GPO management.Group Managed Service account requirements:

  • Active Directory schema of Windows Server 2022 or later, and at least one Windows Server 2022 Domain Controller.

  • Creation requires PowerShell scripting on the Domain Controller.

  • Each applicable Batch Management service (on each machine) must be changed to use the gMSA.

On the Domain Controller

  • Start PowerShell as Administrator on the Domain Controller.

  • Import the Active Directory module.

    Note: The Active Directory module is automatically installed and available for import on all Windows 2022 Domain Controllers.

  • One-time action required in PowerShell to create the root Key for the domain

    Note: This can take up to 10 hours to propagate across the entire domain. In a parent-child Domain environment, PowerShell must be executed by a member of the Enterprise Admins group. This group only exists in the parent domain. If these conditions are not met, you will see the error The Request is not supported.

  • Create a Domain Security Group containing the computer accounts that are permitted to use the gMSA (Figure below).

    Note: In this example, a group named ControlNetworkComputers is used with a gMSA named gMSABMServices. You can use any group name or account name.

  1. Create a group named ControlNetworkComputers.

  2. Place the computer accounts for the relevant machines into this group.

  3. Domain-member computers must be rebooted for group membership changes to take effect (i.e. the Domain Controller does not need to be rebooted).

  4. Create the gMSA that will be used by the above group, in PowerShell.

    New-ADServiceAccount -name gMSABMServices -DNSHostName gMSABMServices.BMGMSADC.com -PrincipalsAllowedToRetrieveManagedPassword "ControlNetworkComputers


    Note: If this returns an error message Key does not exist, the KDS Root Key has not yet propagated across the environment (which can take up to 10 hours).

  5. Verify the account exists in Active Directory Users and Computers > Managed Service Accounts.

  6. Configure the Restricted Groups GPO to permit this account.





    Note: The system automatically adds the $ character to the end of the account name.

On each computer where the service will run

The following steps must be reapplied after an upgrade or reinstall of the Batch Management software:

Note: The use of Install-ADServiceAccount is not necessary for gMSA.

  1. Configure the service to use the gMSA. Do not forget the $ after the account name.

  2. When configuring a service, the account will also be granted the Log On As A Service right.

  3. Reboot the machine to verify account membership and test deployment.

  4. After rebooting, verify the account is still in the Administrators group.


  5. Verify all Batch Services are running successfully with gMSA account.






    In This Topic
    TitleResults for “How to create a CRG?”Also Available in