Enable-DACertkit
1.0
DirectAccess requires a public TLS certificate for the IP-HTTPS IPv6 transition technology. When using the CertKit.io agent to manage this certificate, the certkit-agent service must run in the context of a service account (gMSA or standard domain account) with delegated permissions on the DirectAccess Client Settings and DirectAccess Server Settings GPOs in Active Di
DirectAccess requires a public TLS certificate for the IP-HTTPS IPv6 transition technology. When using the CertKit.io agent to manage this certificate, the certkit-agent service must run in the context of a service account (gMSA or standard domain account) with delegated permissions on the DirectAccess Client Settings and DirectAccess Server Settings GPOs in Active Directory.
The following actions are performed:
- Validates that the specified account exists in Active Directory and determines whether it is a gMSA or a standard domain user account.
- Grants 'Edit settings, delete, modify security' permissions on the DirectAccess client and server GPOs in Active Directory. Existing permissions are checked first; each GPO is skipped if the correct permission level is already assigned.
- Adds the service account to the local Administrators group on the DirectAccess server, if it is not already a member.
- Grants the 'Log on as a service' user right (standard domain user accounts only; not required for gMSA accounts).
- Stops the certkit-agent service, reconfigures it to run under the specified account, validates that the service StartName was updated correctly, and restarts the service.
For gMSA accounts, no password is required. For standard domain user accounts, the script prompts for the account password to configure the service.
This script requires Administrator privileges and the GroupPolicy and RemoteAccess PowerShell modules.
Show more
The following actions are performed:
- Validates that the specified account exists in Active Directory and determines whether it is a gMSA or a standard domain user account.
- Grants 'Edit settings, delete, modify security' permissions on the DirectAccess client and server GPOs in Active Directory. Existing permissions are checked first; each GPO is skipped if the correct permission level is already assigned.
- Adds the service account to the local Administrators group on the DirectAccess server, if it is not already a member.
- Grants the 'Log on as a service' user right (standard domain user accounts only; not required for gMSA accounts).
- Stops the certkit-agent service, reconfigures it to run under the specified account, validates that the service StartName was updated correctly, and restarts the service.
For gMSA accounts, no password is required. For standard domain user accounts, the script prompts for the account password to configure the service.
This script requires Administrator privileges and the GroupPolicy and RemoteAccess PowerShell modules.
Installation Options
Owners
Copyright
Copyright (C) 2026 Richard M. Hicks Consulting, Inc. All Rights Reserved.
Package Details
Author(s)
- Richard Hicks
Tags
Microsoft DirectAccess CertKit Certificate TLS SSL IPHTTPS IPv6
Functions
Dependencies
This script has no dependencies.
FileList
- Enable-DACertkit.nuspec
- Enable-DACertkit.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 1.0 (current version) | 5 | 3/7/2026 |