gMSA Accounts

Posted by

A standalone Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrator, can be used for services running on multiple servers such as a server farm. ADFS, IIS and systems behind a Network Load Balance.

As I stated at the beginning, the main benefit from an identity perspective is that there is no password to manage for this account. The gMSA is configured on the servers and Windows handles the password management of the account.

This makes the solution easier to manage since there is no user interaction required to cycle the password on a regular basis. This would normally involve changing the password in Active Directory and then updating the individual services with the new password to ensure continuation of services, thus, eliminates service accounts with static passwords that are set upon creation, and then never cycled again, which is very normal in most of my customers.

Also, another thing very important about gMSA accounts, is that cannot be used to log on to any computers in the domain. This ensure the service account is only used for it’s intended purpose of running a service.

one thing to also to keep in mind is that service in olny available from W2012R2, so if your forest is running under W2008R2, forget it and upgrade your forest 🙂

If you want to go ahead and configure your gMSA account, you con do it by executing the following PowerShell:

New-ADServiceAccount AccountgMSA -DNSHostName AccountgMSA.fqdn -PrincipalsAllowedToRetrieveManagedPassword nameoftheServerstoretrievethegmsaaccount$ -KerberosEncryptionType RC4, AES128, AES256

the $ it is not a typpo, it is necessary to include the servers name. If you execute the script and you receive and error like the following:

You will need to create a key first, you can do it with the following command:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));

Once we have executed the previous command, we can execute the other one to create the account, which will appear in Users&Computers:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s