Group Managed Service Accounts - Windows Server 2012

What are group managed service accounts?

The Managed Service Accounts (MSA) was initially used in Windows Server 2008 R2 to automatically manage (change) passwords of service accounts. With MSA, you can minimize the risk of system accounts running system services being compromised. You can use this service account only on one computer as it is defined that MSA Service Accounts cannot work with cluster or NLB services. These are operated similarly on multiple servers with the same account and password. To fix this, Microsoft added the feature of Group Managed Service Accounts (gMSA) to Windows Server 2012.
To create a gMSA, we should follow the steps given below −
Step 1 − Create the KDS Root Key. You can use this to generate passwords.
kds_service.
To use the key immediately in the test environment, you can run the PowerShell command –
Run the PowerShell command to check whether it creates successfully or not
Step 2 − To create and configure gMSA → Open the Powershell terminal and type −
New – ADServiceAccount – name gmsa1 – DNSHostNamedc1.example.com – PrincipalsAllowedToRetrieveManagedPassword "gmsa1Group"
In which,
  • gmsa1 is the name of the gMSA account to be created.
  • dc1.example.com is the DNS server Name.
  • gmsa1Group is the active directory group which includes all systems that have to be used. This group should be created before in the Groups.
To check it, Go to → Server Manager → Tools → Active Directory Users and Computers → Managed Service Accounts.
managed_service_accounts
Step 3 – For installation of gMAs on a server → open PowerShell terminal and type in the following commands −
  • Install − ADServiceAccount – Identity gmsa1
  • Test − ADServiceAccount gmsa1
Make sure that the result should be “True” after running the second command, as shown in the screenshot given below.
true
Step 4 – Let’s Go to service properties, then mention that the service will be run with a gMSA account. In the This account box in the Log on tab type the name of the service account. At the end of the name use symbol $, the password need not to be specified. After the changes are saved, the service has to be restarted.
log_on
The account will get the “Log On as a Service” and the password will be retrieved automatically

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

Windows Server 2012 Topics