How to change the Logon Account for an Atria Component
Overview
The majority of Atria components need to run in the context of an Active Directory User account in order to grant the component the rights it needs to performed the task intended by the component. Although the naming of these account typically follow a certain pattern, there may be times where you want to use a different pattern, or use a specific account name for these components.
Additionally, older versions of Atria may be configured to use an Active Directory User Account for a component, and you wish to change that to use a gMSA account instead.
With Atria v15.24 onwards, the component credential can be configured quite easily with a few simple steps.
This document will detail how to change an existing component to use a different account.
Applies to
Atria 15.24 and later
Details
NOTE: Not all accounts can be configured as gMSA's. Only those that are used as the Logon Account for Web Services, Services, or Scheduled tasks can use gMSA's. All other credentials must be User Accounts.
The List below details the components that can be configured as gMSA's
| Component | ComponentName | Type |
|---|---|---|
| Atria Config Service | configservice | Service |
| Atria Agent | agent | Service |
| Atria Provisioning Service | provisioning | Service |
| Directory Web Service | directoryws | Web Service |
| MSOL Web Service | msolws | Web Service |
| WorkSpace Web Service | workspacews | Web Service |
| Scheduled tasks | scheduledtasks | Scheduled Tasks |
To change an account for a component, in an Administrative session of Powershell run the following:
$Cred = Get-Credential # This is where you set the details of your new credential. Refer to the below information for further details
Set-AtriaInstallerCredential -Component <componentname> -Server <servername> -Credential $Cred
When entering the details of the credential, make sure to specify it in the format of Domain\Account. If the account is to be a gMSA, make sure to specify the $ (dollar sign) on the end of the AccountName.
A gMSA account cannot exceed 15 characters in length.
A User Account can be up to 20 characters inlength.
Leave the Password blank for a gMSA account.
The user does not need to exist prior to configuring this. The installers will create the credential if it does not exist.
This will store the desired credential securely in the Atria Config Service
Then simply re-run an upgrade (or installation) for the desired component.
As an example, to reconfigure the Agent to use a gMSA, run the following with DomainName\Atria_Agent_Svc$ as the account
$Cred = Get-Credential
Set-AtriaInstallerCredential -Component Agent -Server (HostName) -Credential $Cred
Update-AtriaAgent
or
$Password = New-Object -TypeName System.Security.SecureString
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ('DomainName\Atria_Agent_Svc$', $Password)
Set-AtriaInstallerCredential -Component Agent -Server (HostName) -Credential $Cred
Update-AtriaAgent
The Agent will be updated (to the highest version available that is less than or equal to the version of the Atria.Tools Powershell module that is installed on the Provisioning Server), and the Service will be reconfigured to use this account.
Any Certificates that the account needs access to will also be updated automatically.
Follow the same procedure to change to use a different User (non gMSA) account.
Other Considerations
When changing a Web Service Account, typically in Atria you would also configure the Service Connection to use the same account. This is not actually needed, and in fact, if using a gMSA account, this is not even possible.
New installs of Atria will create an account specifically for WebService Access with the pattern of Atria_Connect_???? This account has no administrative rights. It is simply used to call Web Services.
It is intended that the Web Service Authorization will also be restricted to this account (or Domain Administrators) only in the future.
If this account does not exist, and you wish to delete the existing (old account), then this account should be configured in the same manner as mentioned above. Use 'WebServiceConnect' as the name of the Component. Then the Web Service connection can be reconfigured to use this account.