This topic shows you how to create a group Managed Service Account (gMSA) inManaged Service for Microsoft Active Directory. You should followthese standard instructions for setting up the account and incorporate the following special considerationsfor Managed Microsoft AD.
Do not create KDS root key
Usually, the first time you create a gMSA in a domain, you need to generate aKey Distribution Service (KDS) root key. Managed Microsoft AD generates a KDSroot key for you when you create the domain, so you can skip that step fromthe standard instructions.
View the KDS root key
Before you begin, be sure that the Active Directory Sites and Services tool isinstalled fromRemote Server Administration Tools (RSAT).
To view the KDS root key, complete the following steps:
- In Windows, launch the Active Directory Sites and Services tool. To launchthis tool, you can open the Run command dialog box, and then enter
dssite.msc
. - In the Active Directory Sites and Services tool, select the View tab.
- In the View menu, select Show Services Node.
- In the left pane, select Services > Group Key Distribution Service > MasterRoot Keys.
- The right pane shows a list of keys for your domain. Select a key to view itsdetails.
Note that running the Get-KdsRootKey
PowerShell cmdlet returns an emptyresponse even though a valid KDS root key exists. You can only see the key whenyou run the Get-KdsRootKey
cmdlet as the Domain Admin.
Create account under Managed Service Accounts
container
For a Managed Microsoft AD domain, new gMSAs should be createdunder the Managed Service Accounts
container. By default,the New-ADServiceAccount
cmdlet creates new gMSAs in this location. For more information, seeNew-ADServiceAccount
cmdlet.
Delegate administration of Managed Service Accounts
You can delegate the administration of the Managed Service Accounts
container to a user byadding them to Cloud Service Managed Service Account Administrators
group.For more information about the groups that Managed Microsoft AD creates for you, see Groups.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-03-18 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]