Enable-DACertkit

2.0

DirectAccess requires a public TLS certificate for the IP-HTTPS IPv6 transition technology. When using the CertKit.io agent to manage this certificate, the certkit-agent service must run in the context of a service account (gMSA or standard domain account) with delegated permissions on the DirectAccess Client Settings and DirectAccess Server Settings GPOs in Active Di
DirectAccess requires a public TLS certificate for the IP-HTTPS IPv6 transition technology. When using the CertKit.io agent to manage this certificate, the certkit-agent service must run in the context of a service account (gMSA or standard domain account) with delegated permissions on the DirectAccess Client Settings and DirectAccess Server Settings GPOs in Active Directory.

The following actions are performed:

- Validates that the specified account exists in Active Directory and determines whether it is a gMSA or a standard domain user account.
- Grants 'Edit settings, delete, modify security' permissions on the DirectAccess client and server GPOs in Active Directory. Existing permissions are checked first; each GPO is skipped if the correct permission level is already assigned.
- Adds the service account to the local Administrators group on the DirectAccess server, if it is not already a member.
- Grants the 'Log on as a service' user right (standard domain user accounts only; not required for gMSA accounts).
- Prompts for the service account password (standard domain user accounts only), stops the certkit-agent service, reconfigures it to run under the specified account, validates that the service logon account was updated correctly, and restarts the service.

For gMSA accounts, no password is required. For standard domain user accounts, the script prompts for the account password before the service is stopped and reconfigured. The password is applied using the Win32_Service WMI class so it is never exposed on a process command line or in process creation audit events.

Security note: The service account is granted rights to modify the DirectAccess client and server GPOs and is added to the local Administrators group on the DirectAccess server. These permissions affect all DirectAccess clients and servers to which the GPOs apply. Protect the account accordingly; using a gMSA is strongly recommended.

All configuration changes support -WhatIf and -Confirm. This script requires Administrator privileges, Windows PowerShell 5.1, and the GroupPolicy and RemoteAccess PowerShell modules.

Show more

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Script -Name Enable-DACertkit

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

Copyright (C) 2026 Richard M. Hicks Consulting, Inc. All Rights Reserved.

Package Details

Author(s)

  • Richard Hicks

Tags

Microsoft DirectAccess CertKit Certificate TLS SSL IPHTTPS IPv6

Functions

Grant-LogOnAsService

PSEditions

Desktop

Dependencies

This script has no dependencies.

FileList

Version History

Version Downloads Last updated
2.0 (current version) 6 7/9/2026
1.1.1 6 6/15/2026
1.0 15 3/7/2026