Wednesday, May 27, 2020

Creating and Moving to Group Managed Service Accounts (GMSA)

Group managed service accounts are better for the following reasons:
  • No Password Management, no need to store the key in a vault
  • Supports being shared across multiple hosts 
  • You cant steal the password from the LSA
  • The Microsoft Key Distribution Service (KDC) manages the passwords for the gMSA
If your domain supports it (AD Schema 2012 and better).

Check if it is enabled: Get-KdsRootKey

If GMSA are supported it will return the DC that is the KDS, and you are golden, just run this command to make a new GMSA for the servers you need:

New-ADServiceAccount -Name 'yourServiceAccountName' -DNSHostName (Get-ADDomainController (Get-KdsRootKey).domaincontroller).hostname -PrincipalsAllowedToRetrieveManagedPassword 'yourserver1$', 'yourserver2$', 'yourserver3$', 'yourserver4$'
If GMSA are not yet setup run the following commands (in large environments wait for replication after this):

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

Then you can run the NEW-ADServiceAccount command above.

On the server you want to be able to use the GSMA run the following:

Install-ADServiceAccount -Identity 'yourServiceAccountName'

Then change the Windows Service change to the \Domain\ServiceAccounts\'yourServiceAccountName' without a password and you are done.



Blog Archive