Creating a Group Managed Service Accounts (gMSA) (with Windows Server 2008 R2 Schema)
Here is a funny one that a colleague and I were looking at, to set up the AAD Connect Provisioning agent you need to create a gMSA account.
(This was for setting up Workday so that HR can provision users in AD)
New-ADServiceAccount -Name svc_aadces_prov `
-DNSHostName svc_aadccs_prov.domain.com `
-Path "OU=Service Administrators,DC=internal,DC=domain,DC=com" `
-KerberosEncryptionType AES128, AES256' `
-ManagedPasswordIntervallnDays 30' `
-PrincipalsAllowedToRetrieveManagedPasstword server1,server2$
Run on a domain controller or psconnect into the server
Start AAD Connect Provisioning Agent Configuration
• Extension: choose "HR-driven provisioning (Workday and SuccessFactors)
• Sign in as Global Administrator
• Service account: enter the existing AAD Connect service account details for (svc_aadccs_prov)
• Sign in as Domain Administrator