OPTION A: Group Managed Service Account (gMSA)

Modified on Sun, 15 Oct 2023 at 09:44 PM


Please work with your local IT Administrator to apply the below solution


This article is recommended for users who are installing Crystal Delivery Pro on a corporate or academic domain.

Configure Crystal Delivery Service with a Group Managed
Service Account (gMSA)

When Crystal Delivery Pro is installed on a domain server or domain computer, it is recommended that a Group Managed Service Account (gMSA) be provisioned for the Crystal Delivery Service.  This will allow the service to run reliably and securely with the correct permissions.

The instructions below are intended for IT Administrators to follow.  Simply link them to this article.


These instructions are divided into Part 1, Part 2, and Part 3 which you will follow to correctly deploy a Group Managed Service Account (gMSA) for the Crystal Delivery Service.

Part 1 of 3 - Add gMSA to Domain Controller

  1. From a Domain Controller Server with Active Directory
  2. Using Powershell, run the following commands to create and install the a Group Managed Service Account for Crystal Delivery Service.
  3. Install and import the Active Directory PowerShell Module.
    Powershell Commands to Run
    Add-WindowsFeature RSAT-AD-PowerShell
    Import-Module ActiveDirectory

    Important: Domain Controllers (DC) require a root key to begin generating gMSA passwords. You may already have this set up or you may not have this set up.

    Do I have a root key already set up?
    Run the following command to return any root key you have configured:
    Run: Get-KdsRootKey

    If no results are returned, you may not have a root key set up and will need one.

    How to set up a root key?
    This is not covered in this article, but be aware, that when setting up a root key, the domain controllers will wait up to 10 hours from the time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA.

    You can bypass this wait time for test purposes only using the following command (not recommended)
    Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10))

  4. To create a new Managed Service Account, we can proceed as it follows:
    New-ADServiceAccount -Name CrystalDelivery -DNSHostName CrystalDelivery.<<your domain>> -PrincipalsAllowedToRetrieveManagedPassword <<Your Computer Name>>$,<<other computers running crystal delivery pro>>$


    New-ADServiceAccount -Name CrystalDelivery -DNSHostName CrystalDelivery.groff.local -PrincipalsAllowedToRetrieveManagedPassword WIN10HOST$,win2019server$


    • -Name -- new service account name. Make sure the name refers to a valid computer objects
      • Example: CrystalDelivery
    • -DNSHostName -- FQDN of the new gMSA account
      • Example: CrystalDelivery.mydomain.local
    • -PrincipalsAllowedToRetrieveManagedPassword -- your Crystal Delivery Pro Server NETBIOS name ended with $
      • Example: YourComputerName$

    If you want to specify a security group that comprises multiple Crystal Delivery servers, run the command as follows:

    New-ADServiceAccount -Name CrystalDelivery -DNSHostName CrystalDelivery.mydomain.local -PrincipalsAllowedToRetrieveManagedPassword YourServerGroup

  5. We can now test the managed service account. To do so, please proceed as follows:
    Test-ADServiceAccount -Identity CrystalDelivery | Format-List

  6. The above should return true. If so, it is now time to install our Managed Service Account:
    Install-ADServiceAccount -Identity CrystalDelivery

  7. Done

  8. You can also check for the service from within the UI, by accessing "dsa.msc" > your Domain Controller > "Managed Service Accounts"

Part 2 of 3 - Add gMSA to Crystal Delivery Service

  1. Click Start > Type services.msc > Press enter to run.
  2. Locate Crystal Delivery Service in the list of services
  3. Right-click Crystal Delivery Service > click Properties
  4. Click Log On Tab
  5. Ensure This account is selected and enter domain\CrystalDelivery$ in the input box. Password fields should be empty.

    This Account: groff\CrystalDelivery$
    Password: <leave empty>
    Confirm Password: < leave empty>

  6. Click Apply > click OK
  7. Note:  If the Log On Tab is grayed out, you may need to work with your local IT Administrator to configure the service.
  8. Proceed to Part 3 below.

Part 3 of 3 - Add gMSA to File Shares

  1. Right-click on File Share folder > click Properties
  2. Click Security tab > click Edit button
  3. Click Add button > click Object Types button
  4. Check the Service Accounts checkbox
  5. Click OK
  6. Enter CrystalDelivery$ in the text input box
  7. Click Check Names button to confirm the service is available.
  8. Click OK
  9. Under Allow, check Modify & Write permissions
  10. Click Apply > click OK
  11. Click OK
  12. Done - your service is now securely configured to run.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article