ADDS Group Managed Service Accounts

This guide covers the creation and management of Active Directory Domain Services (ADDS) Group Managed Service Accounts (gMSA). Group Managed Service Accounts are system managed service accounts that behave much like computer accounts in that the system automatically manages and rotates the account password. A gMSA solves many of the security implications arising from using service accounts where passwords may be infrequently (or never) rotated and where multiple users may have access to the account’s credential.

Steps in this guide can be performed on any computer joined to the domain. Access to a domain controller is not necessary.

Requirements

  • Domain Administrator, or delegated privileges to create Managed Service Accounts and Security Enabled Groups.

Summary Steps

  • Create a Security Enabled Group
  • Create a Managed Service Account

Create a Security Enabled Group

The security group will be used to control which computers have access to retrieve the Managed Service Account credentials. For each server that will need access to the Managed Service Account, add the computer object as a member of the security group.

Create a Managed Service Account

Create a Managed Service Account and tie the account to the security group previously created. The MSA object will also need a hostname parameter, since under the hood it functions similar to a computer object within the domain. Developing and using a naming convention is recommended.

Managed Service Accounts are created in Powershell using New-ADServiceAccount.

The following sample text creates a gMSA named (msa.ca.ces$) controlled by the security group “GMSA-CA-CES”.

$ServiceAccountName = "msa.ca.ces"
$ServiceAccountHostName = "msa-ca-ces.lan.wolfspirit.net"
$GroupName = "GMSA-CA-CES"
New-ADServiceAccount -Name $ServiceAccountName -DNSHostName $ServiceAccountHostName -PrincipalsAllowedToRetrieveManagedPassword (Get-ADGroup $GroupName)

# Note: If RC4 is disabled, additionally use the argument "-KerberosEncryptionType AES128,AES256"
gMSA OU
gMSA Object gMSA Object

Using the Managed Service Account

Managed Service Accounts can be used only in applications where the feature is supported. Common examples are Scheduled Tasks, Windows Services, Microsoft SQL, Microsoft IIS, and so on.

When assigning a MSA to an application, the username should be appended with a $, similar to a computer object. In the previous example code, the MSA account name assigned to the application would be “msa.ca.ces$”. The password field should be left blank, as the computer will use its membership in the associated security group to retrieve the current account password from Active Directory.

Unlike the older Managed Service Accounts (MSA), the group Managed Service Account (gMSA) does not require a domain administrator to install the account on the target servers. A gMSA does not require the use of Install-ADServiceAccount and the target server does not require installation of the Active Directory RSAT feature. An administrator can create and provision a gMSA for a server operator without needing to grant the server operator additional privileges.