Please feel free to provide feedback or file bugs here.

DSC: Should allow Credentials with Blank Passwords, so you can use GMSA accounts

For some reason DSC errors out with a credential object contains a null password. Unfortunately that is the mechanism use to set group managed service accounts.
Here is a link to a relevant bug in xWebAdministration:

And here is an example of the output your recieve when you attempt to use a managed service account:

"VERBOSE: [COMPUTERNAME]: LCM: [ End Test ] [[xWebAppPool]testpool] in 0.0070 seconds.
The password supplied to the Desired State Configuration resource MSFT_xWebAppPool is not valid. The password cannot be null or empty.
+ CategoryInfo : InvalidResult: (:) [], CimException
+ FullyQualifiedErrorId : InvalidPassword
+ PSComputerName : localhost

104 votes
Sign in
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

RandomChance shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
survey  ·  Mark Gray responded  · 

Thanks for the feedback! I have personally heard this request from a number of customers. IMHO having the ability to use GMS accounts would be a quite useful in DSC configurations. If this is an important feature for you as well, vote it up so that we can appropriately prioritize it as we move forward.



Sign in
Password icon
Signed in as (Sign out)
  • Anonymous commented  ·   ·  Flag as inappropriate

    Is there any update on this? We are using DSC alongside Puppet, whilst Puppet can run quite happily a gMSA, when it invokes DSC we hit a number of issues by not being able to use managed service accounts

  • CJ commented  ·   ·  Flag as inappropriate

    Is it done yet ? This should have been a no brainer that we need to support gMSA's. Why would you try to promote the usage of regular accounts with all of their management overhead and security conserns ?

  • Edd Douse commented  ·   ·  Flag as inappropriate

    I've been thinking about this since running into the problem myself. The thing I'm thinking now is to keep the behaviour of credentials not allowing blank passwords (because it's difficult to create a secure string on a blank object).

    Instead, have the resources check the credential's username, if it ends in a $ symbol (required for Managed Service Accounts), ignore the password.

    It's what I'm about to do, although I don't like changing the DSC resources from the gallery too much but I'll see if it works then submit a PR.

Feedback and Knowledge Base