Enable-DACertkit
2.0
DirectAccess requires a public TLS certificate for the IP-HTTPS IPv6 transition technology. When using the CertKit.io agent to manage this certificate, the certkit-agent service must run in the context of a service account (gMSA or standard domain account) with delegated permissions on the DirectAccess Client Settings and DirectAccess Server Settings GPOs in Active Di
DirectAccess requires a public TLS certificate for the IP-HTTPS IPv6 transition technology. When using the CertKit.io agent to manage this certificate, the certkit-agent service must run in the context of a service account (gMSA or standard domain account) with delegated permissions on the DirectAccess Client Settings and DirectAccess Server Settings GPOs in Active Directory.
The following actions are performed:
- Validates that the specified account exists in Active Directory and determines whether it is a gMSA or a standard domain user account.
- Grants 'Edit settings, delete, modify security' permissions on the DirectAccess client and server GPOs in Active Directory. Existing permissions are checked first; each GPO is skipped if the correct permission level is already assigned.
- Adds the service account to the local Administrators group on the DirectAccess server, if it is not already a member.
- Grants the 'Log on as a service' user right (standard domain user accounts only; not required for gMSA accounts).
- Prompts for the service account password (standard domain user accounts only), stops the certkit-agent service, reconfigures it to run under the specified account, validates that the service logon account was updated correctly, and restarts the service.
For gMSA accounts, no password is required. For standard domain user accounts, the script prompts for the account password before the service is stopped and reconfigured. The password is applied using the Win32_Service WMI class so it is never exposed on a process command line or in process creation audit events.
Security note: The service account is granted rights to modify the DirectAccess client and server GPOs and is added to the local Administrators group on the DirectAccess server. These permissions affect all DirectAccess clients and servers to which the GPOs apply. Protect the account accordingly; using a gMSA is strongly recommended.
All configuration changes support -WhatIf and -Confirm. This script requires Administrator privileges, Windows PowerShell 5.1, and the GroupPolicy and RemoteAccess PowerShell modules.
Show more
The following actions are performed:
- Validates that the specified account exists in Active Directory and determines whether it is a gMSA or a standard domain user account.
- Grants 'Edit settings, delete, modify security' permissions on the DirectAccess client and server GPOs in Active Directory. Existing permissions are checked first; each GPO is skipped if the correct permission level is already assigned.
- Adds the service account to the local Administrators group on the DirectAccess server, if it is not already a member.
- Grants the 'Log on as a service' user right (standard domain user accounts only; not required for gMSA accounts).
- Prompts for the service account password (standard domain user accounts only), stops the certkit-agent service, reconfigures it to run under the specified account, validates that the service logon account was updated correctly, and restarts the service.
For gMSA accounts, no password is required. For standard domain user accounts, the script prompts for the account password before the service is stopped and reconfigured. The password is applied using the Win32_Service WMI class so it is never exposed on a process command line or in process creation audit events.
Security note: The service account is granted rights to modify the DirectAccess client and server GPOs and is added to the local Administrators group on the DirectAccess server. These permissions affect all DirectAccess clients and servers to which the GPOs apply. Protect the account accordingly; using a gMSA is strongly recommended.
All configuration changes support -WhatIf and -Confirm. This script requires Administrator privileges, Windows PowerShell 5.1, and the GroupPolicy and RemoteAccess PowerShell modules.
Installation Options
Owners
Copyright
Copyright (C) 2026 Richard M. Hicks Consulting, Inc. All Rights Reserved.
Package Details
Author(s)
- Richard Hicks
Tags
Microsoft DirectAccess CertKit Certificate TLS SSL IPHTTPS IPv6
Functions
PSEditions
Dependencies
This script has no dependencies.
FileList
- Enable-DACertkit.nuspec
- Enable-DACertkit.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 2.0 (current version) | 6 | 7/9/2026 |
| 1.1.1 | 6 | 6/15/2026 |
| 1.0 | 15 | 3/7/2026 |