Important Points about Group Managed Service Accounts
Group Managed Service accounts are perfect identity solutions for services running on multiple hosts and using group them password management requires no administration overhead as password management is handled automatically using Windows Server 2012/2012 R2 across multiple hosts. It also supports offline hosts which are not connected to network for a period of time, and when they go back online, the password is synchronized on the service running on them and the service can start successfully. It is also important to take note that failover clusters currently do not support gMSAs but the services running on top of clusters can support them if they are a Windows service, an App pool, a scheduled task or they natively support gMSA.
Please also take note that you can only configure and administer group managed service accounts on Windows Server 2012/2012 R2 but you can still have other domain controllers running earlier versions of Windows Server operating system. There are very important points to take into consideration when configuring managed service accounts:
- Managed service accounts can work across domain boundaries as long as the required domain trusts exist.
- A managed service account can be placed in a security group.
- Managed service accounts can be stored anywhere in Active Directory, nevertheless there is also a specific container for them.
- Passwords are automatically created for managed service accounts and are refreshed every 30 days. You can change a password manually.
Configuring Group Managed Service Accounts
In this exercise you will learn how to create a Group Managed Service Account on a domain controller and how to validate and use it on a member server:
- Log on to Example-DC01 (Domain Controller).
- Open the Start screen and type Active Directory Administrative Center and press Enter.
- On the left sidebar click the arrow beside Example (Local) and from the menu click Users.
- On the right sidebar click New and then click Group.
- On the Create Group window, type gMSA_Group for the Group name and then click Members in the left pane and then click Add.
- Click Object Types, select Computers and then click OK. Type Example-Server01 below Enter the object names to select and click OK.
- Click OK to create the group and close the window.
- Open the Start screen again and type Windows PowerShell and press Enter.
- On the PowerShell window type the following command and press Enter to create a KMS root key to generate unique passwords for object in your Group Managed Service Account:
- Add-KdsRootKey -EffectiveTime ((Get-Date).addhours(-10))
- On the PowerShell window type the following command and press Enter to create and configure your Group Managed Service Account called gMSAcct01:
- New-ADServiceAccount gMSAcct01 -DNSHostName gMSA_Group.Example.com -PrincipalsAllowedToDelegateToAccount gMSA_Group -ServicePrincipalNames HTTP/Example-DC01.HTTP/Example-DC01.Example.com
- To Give the needed permission to Example-Server01 type the following command on the PowerShell window and press Enter:
- Set-ADServiceAccount -Identity gMSAcct01 -PrincipalsAllowedToRetrieveManagedPassword Example-Server01$
- To configure your Group Managed Service Account on Example-Server01, log on to it.
- On the Start screen type Services.msc and press Enter.
- On the Services window, right click the Internet Connection Sharing service (Any other services could be selected) and click Properties.
- On the Properties window, select the Log On tab, select This account and enter Example.com\gMSAcct01$ in the first textbox and leave the password textboxes blank and then click OK.
If you are interested in security and you want more of these detailed step-by-step guides, you could have a look at my recently published ebook by clicking on the book cover below: