Hi
So the documentation (https://technet.microsoft.com/en-us/library/jj128431.aspx) for creating gMSAs says that the parameter "-PrincipalsAllowedToRetrieveManagedPassword" should restrict the ability of using the gMSA to the machines that are part of the security groups given in the parameter. E.g.
New-ADServiceAccount -name dev-service -DNSHostName dev-service -PrincipalsAllowedToRetrieveManagedPassword gMSA-dev-service-allowed-hosts
should, as I understand it, allow only the machines that are part of the security group "gMSA-dev-service-allowed-hosts" to access the password of the the account dev-service thereby limiting the machines that can use the account.
My problem is that I can not get it to work that way. Even on a machine that is not a member of "gMSA-dev-service-allowed-hosts", the account can be used without problem.
Did I misunderstand the meaning of -PrincipalsAllowedToRetrieveManagedPassword ?
Thanks
Best,
Deniz