Group Managed Service Account (gMSA)

Group Managed Service Account (gMSA)

September 11, 2021 Active Directory 0

Active Directory managed service account that can be used to securely run services, applications, and scheduled tasks. Managed Service Accounts (MSA) to automatically manage (change) passwords of service accounts. Using MSA, you can considerably reduce the risk of system accounts running system services being compromised. MSA has one major problem which is the usage of such service account only on one computer.

Later, Microsoft introduced the feature of Group Managed Service Accounts (gMSA) which can work multiple servers.

group Managed Service Account (gMSA) provides extends that functionality over multiple servers. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password. Interactive logon isn’t allowed. password is not stored on the local system. Hence, you cannot extract the password from the LSASS system process from any tool.

You can manage the service host permission to use gMSA by security group
Domain Controllers (DC) require a root key to begin generating gMSA passwords
Deleting and recreating the root key may lead to issues where the old key continues to be used after deletion due to caching of the key.
The Key Distribution Service (KDC) should be restarted on all domain controllers if the root key is recreated.

Note: In this case the key is created and becomes available in 10 hours after the AD replication is over.

Create KDC root Key
Add-KdsRootKey -EffectiveImmediately
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

Use the command to check the KDS key: Test-KdsRootKey -KeyId (Get-KdsRootKey).KeyId

New-ADServiceAccount SA-002 -DNSHostName -PrincipalsAllowedToRetrieveManagedPassword DC-1$ -KerberosEncryptionType AES128, AES256

  • Account is allowed to use only on DC-1 [you replace with Security Group to manage the Group of Servers]
  • Interactive logon is restricted
  • Password will be rotated 7 days and 30 days is by default
  • Account Expire set 90 days and by default no Expire date

Below command will help to use and test the service account on target server.

Install−ADServiceAccount – Identity SA-002
Test−ADServiceAccount SA-002

Go to Target service properties, specify that the service will be run with a gMSA account.

After the changes are saved, the service has to be restarted.
The account will get the “Log On as a Service” and the password will be retrieved automatically.

Service Principal Name (SPN) either with setspn command when working with Kerberos delegation
But for standalone and group Managed Service Accounts, the Delegation tab doesn’t appear.

To configure delegation for these special accounts, you need to set the correct attributes manually. There are two attributes that you need to modify for these accounts:

  • userAccountControl defines the type of delegation
  • msDS-AllowedToDelegateTo defines where the SPNs for delegation will be added

Do not trust this computer for delegation

Set-ADAccountControl -Identity SA-002$ -TrustedForDelegation $false -TrustedToAuthForDelegation $false
Set-ADServiceAccount -Identity SA-002$ -Clear ‘msDS-AllowedToDelegateTo’


 2,674 total views,  5 views today

Leave a Reply

Your email address will not be published. Required fields are marked *