How to use Group Managed Service Accounts and why you should do it

Home / How to use Group Managed Service Accounts and why you should do it

Managing accounts for multiple systems can be a complex and manual task which leads to insecure configurations. Fortunately Microsoft provides an easy way to setup and maintain service accounts.

Managing service accounts in an enterprise environment can be a complex task, especially as organizations grow in size and complexity. Group Managed Service Accounts (gMSA) offer a solution to simplify the management of service accounts by allowing administrators to centrally manage and configure them within Active Directory.

Understanding Group Managed Service Accounts (gMSA)

Group Managed Service Accounts (gMSA) are a feature introduced in Windows Server 2012 that enhances the security and manageability of service accounts. Unlike traditional service accounts, gMSAs are associated with Active Directory groups, allowing multiple servers to use the same gMSA without requiring individual account configurations on each server (Plus only the servers in the group are allowed to use this account). gMSAs provide automatic password management, making them an ideal choice for services that run on multiple servers in a distributed environment.

Setting Up Group Managed Service Accounts

Prepare Active Directory Environment

Before creating gMSAs, ensure that your Active Directory environment is running at the Windows Server 2012 functional level or higher. Additionally, confirm that the server where you plan to create the gMSA has the necessary permissions to do so.

Install the Active Directory PowerShell Module:
Use the PowerShell module to manage gMSAs effectively. Ensure that the Active Directory PowerShell module is installed on the server where you will be creating gMSAs.
Install-WindowsFeature RSAT-AD-PowerShell

Create a Managed Service Account Group

To create a gMSA, start by creating a security group in Active Directory that will be used to manage the gMSA. This group will contain every computer object which is allowed to retrieve the password and therefore use the gMSA.
New-ADGroup -Name "Grp-MSA_MyService" -GroupScope Global -GroupCategory Security

Once the group is created, use the following command to create the gMSA and associate it with the security group.

New-ADServiceAccount -Name "MSA_MyService" -SamAccountName "MSA_MyService" -PrincipalsAllowedToRetrieveManagedPassword "Grp-MSA_MyService"
I personally use the prefix MSA_ for the account name. Please be aware that the account name must not be longer than 15 characters.

Install the gMSA on Servers

After creating the gMSA, install it on the servers where your services will be running.

Please note: You might have to install the Active Directory commandlets first with the following commands:
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory

Use the following PowerShell command on each server using the gMSA:
Install-ADServiceAccount -Identity "MSA_MyService"
Now you can test if your account is working:
Test-ADServiceAccount -Identity "MSA_MyService"
This should give you the result “True”

Configure Services to Use the gMSA

Update the service configuration on each server to use the gMSA. You can do this through the Services snap-in or by using PowerShell commands.
Set-Service -Name "MyService" -DependentServices (Get-Service -Name "MSA_MyService").DependentServices

If you are using a GUI dialog to add the gMAS, you might have to select “Service Accounts” as object type plus add a $ at the end of the gMSA account name:

Object Types dialog

Object Types dialog

Start Services Using gMSA

Start the services associated with the gMSA, and verify that they are running as expected.

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.