Important Points about Group Managed Service Accounts
Group Managed Service accounts are perfect identity solutions for services running on multiple hosts and using group them password management requires no administration overhead as password management is handled automatically using Windows Server 2012/2012 R2 across multiple hosts. It also supports offline hosts which are not connected to network for a period of time, and when they go back online, the password is synchronized on the service running on them and the service can start successfully. It is also important to take note that failover clusters currently do not support gMSAs but the services running on top of clusters can support them if they are a Windows service, an App pool, a scheduled task or they natively support gMSA.
Please also take note that you can only configure and administer group managed service accounts on Windows Server 2012/2012 R2 but you can still have other domain controllers running earlier versions of Windows Server operating system. There are very important points to take into consideration when configuring managed service accounts:
- Managed service accounts can work across domain boundaries as long as the required domain trusts exist.
- A managed service account can be placed in a security group.
- Managed service accounts can be stored anywhere in Active Directory, nevertheless there is also a specific container for them.
- Passwords are automatically created for managed service accounts and are refreshed every 30 days. You can change a password manually.