Group managed service accounts are better for the following reasons:
- No Password Management, no need to store the key in a vault
- Supports being shared across multiple hosts
- You cant steal the password from the LSA
- The Microsoft Key Distribution Service (KDC) manages the passwords for the gMSA
If your domain supports it (AD Schema 2012 and better).
Check if it is enabled: Get-KdsRootKey
If GMSA are supported it will return the DC that is the KDS, and you are golden, just run this command to make a new GMSA for the servers you need:
New-ADServiceAccount -Name 'yourServiceAccountName' -DNSHostName (Get-ADDomainController
(Get-KdsRootKey).domaincontroller).hostname -PrincipalsAllowedToRetrieveManagedPassword 'yourserver1$', 'yourserver2$', 'yourserver3$', 'yourserver4$'
If GMSA are not yet setup run the following commands (in large environments wait for replication after this):
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
Then you can run the NEW-ADServiceAccount command above.
On the server you want to be able to use the GSMA run the following:
Install-ADServiceAccount -Identity 'yourServiceAccountName'
Then change the Windows Service change to the \Domain\ServiceAccounts\'yourServiceAccountName' without a password and you are done.
