TruGrid Sentry Group Managed Service (gMSA) Account setup

An Active Directory (AD) Group Managed Service Account (gMSA) is a special domain account that automatically manages its own passwords, allowing it to securely run services across multiple servers, drastically reducing administrative overhead and improving security compared to traditional service accounts.

The standard TruGrid Sentry installation creates an Active Directory account with randomly generated password. This account is used as the TruGrid Sentry service account when Sentry is installed on non-domain controllers. In order to accommodate the needs of organizations that must manage passwords for all service accounts, TruGrid has created a version of the TruGrid Sentry installer that uses Group Managed Service Account (gMSA).

This document provides guidance on how to install TruGrid Sentry with Group Managed Service Account (gMSA).

Prerequisites

It is easier to run below commands on a Domain Controller. Otherwise, if running the commands on non-domain controllers, please install RSAT tools on the non-domain controller below proceeding. Please run all the below PowerShell commands in ELEVATED prompt

• Install RSAT tools if running all the PowerShell commands on non-domain controllers

Install-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory

• Verify existence of a KDS root key.

There is no need to create one if it is already present in the forest. Please check using below command.

Get-KdsRootKey 

Below are the required steps

1. Create the KDS Key if none exists (see above command on how to verify)

If the command above does not return an existing KDS Root Key, please create one with the following command:

Add-KdsRootKey -EffectiveImmediately

**OPTIONAL: **In very rare cases, the KDS key won’t be immediately active due to how Windows handles the command. For such cases, this command pre-dates the effective time of the Key activation by 10 hours from the current time and date in order to ensure the key is active immediately:

Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

2. Create the gMSA Service Account

$sentryServers = @("TGSENTRY-01$,TGSENTRY-02$")
New-ADServiceAccount -Name "SentryGmsa" -DNSHostName "sentrygmsa.%your.domain.com%" -PrincipalsAllowedToRetrieveManagedPassword $sentryServers -Enabled $true

After executing the command, check if the account was created in AD:

Get-ADServiceAccount -Identity "SentryGmsa"

3. Install the gMSA account on the TruGrid Sentry Servers:

a. Login to the first Sentry server. Open PowerShell in ELEVATED mode. Run below command.

Install-ADServiceAccount -Identity “SentryGmsa"

b. Check if the installation succeeded:

Test-ADServiceAccount -Identity "SentryGmsa”

c. Add the gMSA account to the LOCAL ADMINISTRATORS group on the TruGrid Sentry server

d. Login to the other TruGrid Sentry servers and repeat steps 3a to 3c.

4. Install & Configure TruGrid Sentry

a. Install the TruGrid Sentry software on the designated TruGrid Sentry servers. Download and install TruGrid Sentry from the following link.

Once TruGrid Sentry software is installed, two TruGrid Sentry services should be visible under Windows Services applet:

b. Update the two TruGrid Sentry services to run under the gMSA accounts

• Update the TruGrid Sentry service:

$service = Get-WmiObject Win32_Service -Filter "Name='trugrid_sentry'"
$service.Change($null, $null, $null, $null, $null, $null, "%your.domain.com%\SentryGmsa$", "")

• Update the TruGrid Sentry Health Monitor service:

$service = Get-WmiObject Win32_Service -Filter "Name='trugrid_sentry_health_monitor'"  $service.Change($null, $null, $null, $null, $null, $null, "%your.domain.com%\SentryGmsa$", "")

• Open the Windows Services applet and update both services to ENABLED and AUTOMATIC
• Start both TruGrid Sentry services

If everything has been done correctly, the two TruGrid services will now be running under the gMSA account:

OPTIONAL: For organizations that do not wish to add the gMSA to the LOCAL ADMINISTRATORS group on the TruGrid Sentry servers

If there is a preference to not add the gMSA to the Local Administrators group on the TruGrid Sentry servers, please add the gMSA account to the TruGrid Sentry installation folders and registry as shown below.

Using PowerShell in elevated mode, grant the gMSA account proper permissions to the TruGrid Sentry folders (for writing logs):

$acct = %your.domain.com%\SentryGmsa$"
$path = "C:\Program Files\TruGrid\Sentry"
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acct, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl $path $acl

Using PowerShell in elevated mode, grant the gMSA account proper permissions to the TruGrid Sentry registry keys (for reading from Sentry registry keys):

$acct = "SentryGmsa$"
$regPath = "HKLM:\SOFTWARE\TruGrid\Sentry"
$acl = Get-Acl $regPath
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
    $acct,
    [System.Security.AccessControl.RegistryRights]::FullControl,
    [System.Security.AccessControl.InheritanceFlags]::None,
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)
$acl.AddAccessRule($rule)
Set-Acl -Path $regPath -AclObject $acl 

In order to add new TruGrid Sentry servers to the environment later, please do the following:

a. Connect to a Domain Controller and run below PowerShell commands to update the list of TruGrid Sentry servers. This example adds server TGSENTRY-03 to the existing list.

$sentryServers = @("TGSENTRY-01$", "TGSENTRY-03$", "TGSENTRY-03$")
Set-ADServiceAccount -Identity "SentryGmsa" -PrincipalsAllowedToRetrieveManagedPassword $sentryServers

b. Repeat steps 3 and 4 on the new TruGrid Sentry server (example TGSENTRY-03)

Updated on: 22/01/2026