Getting Started with Group Managed Service Accounts (2024)

Table of Contents
In this article Prerequisites Introduction Requirements for group Managed Service Accounts Deploying a new server farm Step 1: Provisioning group Managed Service Accounts Step 2: Configuring service identity application service Adding member hosts to an existing server farm Updating the group Managed Service Account properties Decommissioning member hosts from an existing server farm Step 1: Remove member host from gMSA Step 2: Removing a group Managed Service Account from the system See also FAQs
  • Article
  • 12 minutes to read

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This guide provides step-by-step instructions and background information for enabling and using group Managed Service Accounts in Windows Server 2012 .

In this document

  • Prerequisites

  • Introduction

  • Deploying a new server farm

  • Adding member hosts to an existing server farm

  • Updating the Group Managed Service Account properties

  • Decommissioning member hosts from an existing server farm

Note

This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.

Prerequisites

See the section in this topic on Requirements for group Managed Service Accounts.

Introduction

When a client computer connects to a service which is hosted on a server farm using network load balancing (NLB) or some other method where all the servers appear to be the same service to the client, then authentication protocols supporting mutual authentication such as Kerberos cannot be used unless all the instances of the services use the same principal. This means that each service has to use the same passwords/keys to prove their identity.

Note

Failover clusters do not support gMSAs. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.

Services have the following principals from which to choose, and each has certain limitations.

PrincipalsServices supportedPassword management
Computer Account of Windows systemLimited to one domain joined serverComputer manages
Computer Account without Windows systemAny domain joined serverNone
Virtual AccountLimited to one serverComputer manages
Windows 7 standalone Managed Service AccountLimited to one domain joined serverComputer manages
User AccountAny domain joined serverNone
Group Managed Service AccountAny Windows Server 2012 domain-joined serverThe domain controller manages, and the host retrieves

A Windows computer account, a Windows 7 standalone Managed Service Account (sMSA), or virtual accounts cannot be shared across multiple systems. In the case of virtual accounts, the identity is also local to the machine and not recognized by the domain. If you configure one account for services on server farms to share, you would have to choose a user account or a computer account apart from a Windows system. Either way, these accounts do not have the capability of single-point-of-control password management. This creates problem where each organization needs to create an expensive solution to update keys for the service in Active Directory and then distribute the keys to all instances of those services.

With Windows Server 2012, services or service administrators do not need to manage password synchronization between service instances when using group Managed Service Accounts (gMSA). You provision the gMSA in AD and then configure the service which supports Managed Service Accounts. Use of the gMSA is scoped to any machine that is able to use LDAP to retrieve the gMSA's credentials. You can provision a gMSA using the *-ADServiceAccount cmdlets which are part of the Active Directory module. Service identity configuration on the host is supported by:

  • Same APIs as sMSA, so products which support sMSA will support gMSA

  • Services which use Service Control Manager to configure logon identity

  • Services which use the IIS manager for application pools to configure identity

  • Tasks using Task Scheduler.

Requirements for group Managed Service Accounts

The following table lists the operating system requirements for Kerberos authentication to work with services using gMSA. The Active Directory requirements are listed after the table.

A 64-bit architecture is required to run the Windows PowerShell commands used to administer group Managed Service Accounts.

Operating system requirements

ElementRequirementOperating system
Client Application hostRFC compliant Kerberos clientAt least Windows XP
User account's domain DCsRFC compliant KDCAt least Windows Server 2003
Shared service member hostsWindows Server 2012
Member host's domain DCsRFC compliant KDCAt least Windows Server 2003
gMSA account's domain DCsWindows Server 2012 DCs available for host to retrieve the passwordDomain with Windows Server 2012 which can have some systems earlier than Windows Server 2012
Backend service hostRFC compliant Kerberos application serverAt least Windows Server 2003
Backend service account's domain DCsRFC compliant KDCAt least Windows Server 2003
Windows PowerShell for Active DirectoryWindows PowerShell for Active Directory installed locally on a computer supporting a 64-bit architecture or on your remote management computer (for example, using the Remote Server Administration Toolkit)Windows Server 2012

Active Directory Domain Service requirements

For instructions how to create the key, see Create the Key Distribution Services KDS Root Key. Microsoft Key Distribution Service (kdssvc.dll) the root key for AD.

Lifecycle

The lifecycle of a server farm using the gMSA feature typically involves the following tasks:

  • Deploying a new server farm

  • Adding member hosts to an existing server farm

  • Decommissioning member hosts from an existing server farm

  • Decommissioning an existing server farm

  • Removing a compromised member host from a server farm if required.

Deploying a new server farm

When deploying a new server farm, the service administrator will need to determine:

  • If the service supports using gMSAs

  • If the service requires inbound or outbound authenticated connections

  • The computer account names for the member hosts for the service using the gMSA

  • The NetBIOS name for the service

  • The DNS host name for the service

  • The Service Principal Names (SPNs) for the service

  • The password change interval (default is 30 days).

Step 1: Provisioning group Managed Service Accounts

You can create a gMSA only if the forest schema has been updated to Windows Server 2012 , the master root key for Active Directory has been deployed, and there is at least one Windows Server 2012 DC in the domain in which the gMSA will be created.

Membership in Domain Admins or the ability to create msDS-GroupManagedServiceAccount objects, is the minimum required to complete the following procedures.

Note

A value for the -Name parameter is always required (whether you specify -Name or not), with -DNSHostName, -RestrictToSingleComputer, and -RestrictToOutboundAuthentication being secondary requirements for the three deployment scenarios.

To create a gMSA using the New-ADServiceAccount cmdlet

  1. On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. At the command prompt for the Windows PowerShell, type the following commands, and then press ENTER. (The Active Directory module will load automatically.)

    New-ADServiceAccount [-Name] <string> -DNSHostName <string> [-KerberosEncryptionType <ADKerberosEncryptionType>] [-ManagedPasswordIntervalInDays <Nullable[Int32]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>] [-SamAccountName <string>] [-ServicePrincipalNames <string[]>]

    ParameterStringExample
    NameName of the accountITFarm1
    DNSHostNameDNS host name of serviceITFarm1.contoso.com
    KerberosEncryptionTypeAny encryption types supported by the host serversNone, RC4, AES128, AES256
    ManagedPasswordIntervalInDaysPassword change interval in days (default is 30 days if not provided)90
    PrincipalsAllowedToRetrieveManagedPasswordThe computer accounts of the member hosts or the security group that the member hosts are a member ofITFarmHosts
    SamAccountNameNetBIOS name for the service if not same as NameITFarm1
    ServicePrincipalNamesService Principal Names (SPNs) for the servicehttp/ITFarm1.contoso.com/contoso.com, http/ITFarm1.contoso.com/contoso, http/ITFarm1/contoso.com, http/ITFarm1/contoso, MSSQLSvc/ITFarm1.contoso.com:1433, MSSQLSvc/ITFarm1.contoso.com:INST01

    Important

    The password change interval can only be set during creation. If you need to change the interval, you must create a new gMSA and set it at creation time.

    See Also
    How Do I Manage My Quicken Subscription?

    Example

    Enter the command on a single line, even though they might appear word-wrapped across several lines here because of formatting constraints.

    New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.contoso.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts$ -KerberosEncryptionType RC4, AES128, AES256 -ServicePrincipalNames http/ITFarm1.contoso.com/contoso.com, http/ITFarm1.contoso.com/contoso, http/ITFarm1/contoso.com, http/ITFarm1/contoso

Membership in Domain Admins, Account Operators, or ability to create msDS-GroupManagedServiceAccount objects, is the minimum required to complete this procedure. For detailed information about using the appropriate accounts and group memberships, see Local and Domain Default Groups.

To create a gMSA for outbound authentication only using the New-ADServiceAccount cmdlet

  1. On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    New-ADServiceAccount [-Name] <string> -RestrictToOutboundAuthenticationOnly [-ManagedPasswordIntervalInDays <Nullable[Int32]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>]

    ParameterStringExample
    NameName the accountITFarm1
    ManagedPasswordIntervalInDaysPassword change interval in days (default is 30 days if not provided)75
    PrincipalsAllowedToRetrieveManagedPasswordThe computer accounts of the member hosts or the security group that the member hosts are a member ofITFarmHosts

    Important

    The password change interval can only be set during creation. If you need to change the interval, you must create a new gMSA and set it at creation time.

Example

New-ADServiceAccount ITFarm1 -RestrictToOutboundAuthenticationOnly - PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts$

Step 2: Configuring service identity application service

To configure the services in Windows Server 2012 , see the following feature documentation:

  • IIS application pool

    For more information, see Specify an Identity for an Application Pool (IIS 7).

  • Windows Services

    For more information, see Services.

  • Tasks

    For more information, see the Task Scheduler Overview.

Other services could support gMSA. See the appropriate product documentation for details on how to configure those services.

Adding member hosts to an existing server farm

If using security groups for managing member hosts, add the computer account for the new member host to the security group (that the gMSA's member hosts are a member of) using one of the following methods.

Membership in Domain Admins, or the ability to add members to the security group object, is the minimum required to complete these procedures.

  • Method 1: Active Directory Users and Computers

    For procedures how to use this method, see Add a computer account to a group using the Windows interface, and Manage Different Domains in Active Directory Administrative Center.

  • Method 2: dsmod

    For procedures how to use this method, see Add a computer account to a group using the command line.

  • Method 3: Windows PowerShell Active Directory cmdlet Add-ADPrincipalGroupMembership

    For procedures how to use this method, see Add-ADPrincipalGroupMembership.

If using computer accounts, find the existing accounts and then add the new computer account.

Membership in Domain Admins, Account Operators, or ability to manage msDS-GroupManagedServiceAccount objects, is the minimum required to complete this procedure. For detailed information about using the appropriate accounts and group memberships, see Local and Domain Default Groups.

To add member hosts using the Set-ADServiceAccount cmdlet

  1. On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    Get-ADServiceAccount [-Identity] <string> -Properties PrincipalsAllowedToRetrieveManagedPassword

  3. At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    Set-ADServiceAccount [-Identity] <string> -PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>

ParameterStringExample
NameName the accountITFarm1
PrincipalsAllowedToRetrieveManagedPasswordThe computer accounts of the member hosts or the security group that the member hosts are a member ofHost1, Host2, Host3

Example

For example, to add member hosts type the following commands, and then press ENTER.

Get-ADServiceAccount [-Identity] ITFarm1 -Properties PrincipalsAllowedToRetrieveManagedPassword
Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host2$,Host3$

Updating the group Managed Service Account properties

Membership in Domain Admins, Account Operators, or the ability to write to msDS-GroupManagedServiceAccount objects, is the minimum required to complete these procedures.

Open the Active Directory Module for Windows PowerShell, and set any property by using the Set-ADServiceAccount cmdlet.

For detailed information how to set these properties, see Set-ADServiceAccount in the TechNet Library or by typing Get-Help Set-ADServiceAccount at the Active Directory module for Windows PowerShell command prompt and pressing ENTER.

Decommissioning member hosts from an existing server farm

Membership in Domain Admins, or ability to remove members from the security group object, is the minimum required to complete these procedures.

Step 1: Remove member host from gMSA

If using security groups for managing member hosts, remove the computer account for the decommissioned member host from the security group that the gMSA's member hosts are a member of using either of the following methods.

  • Method 1: Active Directory Users and Computers

    For procedures how to use this method, see Delete a Computer Account using the Windows interface, and Manage Different Domains in Active Directory Administrative Center.

  • Method 2: drsm

    For procedures how to use this method, see Delete a Computer Account using the command line.

  • Method 3: Windows PowerShell Active Directory cmdlet Remove-ADPrincipalGroupMembership

    For detailed information how to do this, see Remove-ADPrincipalGroupMembership in the TechNet Library or by typing Get-Help Remove-ADPrincipalGroupMembership at the Active Directory module for Windows PowerShell command prompt and pressing ENTER.

If listing computer accounts, retrieve the existing accounts and then add all but the removed computer account.

Membership in Domain Admins, Account Operators, or ability to manage msDS-GroupManagedServiceAccount objects, is the minimum required to complete this procedure. For detailed information about using the appropriate accounts and group memberships, see Local and Domain Default Groups.

To remove member hosts using the Set-ADServiceAccount cmdlet

  1. On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    Get-ADServiceAccount [-Identity] <string> -Properties PrincipalsAllowedToRetrieveManagedPassword

  3. At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    Set-ADServiceAccount [-Identity] <string> -PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>

ParameterStringExample
NameName the accountITFarm1
PrincipalsAllowedToRetrieveManagedPasswordThe computer accounts of the member hosts or the security group that the member hosts are a member ofHost1, Host3

Example

For example, to remove member hosts type the following commands, and then press ENTER.

Get-ADServiceAccount [-Identity] ITFarm1 -Properties PrincipalsAllowedToRetrieveManagedPassword
Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host3$

Step 2: Removing a group Managed Service Account from the system

Remove the cached gMSA credentials from the member host using Uninstall-ADServiceAccount or the NetRemoveServiceAccount API on the host system.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures.

To remove a gMSA using the Uninstall-ADServiceAccount cmdlet

  1. On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

  2. At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    Uninstall-ADServiceAccount <ADServiceAccount>

    Example

    For example, to remove the cached credentials for a gMSA named ITFarm1 type the following command, and then press ENTER:

    Uninstall-ADServiceAccount ITFarm1

For more information about the Uninstall-ADServiceAccount cmdlet, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Uninstall-ADServiceAccount, and then press ENTER, or see the information on the TechNet web at Uninstall-ADServiceAccount.

See also

  • Group Managed Service Accounts Overview
Getting Started with Group Managed Service Accounts (2024)

FAQs

How do you group managed service accounts work? ›

Group managed service accounts (gMSAs) are managed domain accounts that you use to help secure services. gMSAs can run on a single server or on a server farm, such as systems behind a network load balancing or Internet Information Services (IIS) server.

Discover More Details
How do I set up a managed service account? ›

To create a group Managed Service Accounts (gMSA), follow the steps given below:
  1. Step 1: Create key distribution services (KDS) Root Key.
  2. Step 2: Create and configure gMSA.
  3. Step 3: Install the MSA on a host computer in the domain, and make the MSA available for use by services on the host computer.
Jul 15, 2022

Read The Full Story
Why use a group managed service account? ›

Groups Managed Service Accounts, or gMSAs, are a type of managed service account that offers more security than traditional managed service accounts for automated, non-interactive applications, services, processes, or tasks that still require credentials.

Discover More Details
How do I use a managed service account? ›

To use MSAs you must: Use Active Directory. Extend your AD schema to Windows Server 2008 R2.
...
Using a new MSA always works in four steps:
  1. You create the MSA in AD.
  2. You associate the MSA with a computer in AD.
  3. You install the MSA on the computer that was associated.
  4. You configure the service(s) to use the MSA.
Apr 4, 2019

Continue Reading
How do managed service accounts work? ›

Managed Service Accounts are a Windows feature introduced in Windows Server 2008 R2 for increasing the security of non-user service accounts. Managed Service Accounts, shortened as MSAs, have an automatically-managed, complex password that removes the requirement of manually dealing with password rotation and security.

View Details
What is a disadvantage of the managed service account type? ›

Disadvantage. An MSA is assigned to a single computer, it cannot be used e.g. on different nodes of a Windows cluster.

Find Out More
What is the difference between service accounts and managed service accounts? ›

If your application supports it, using managed service accounts means that the password of the service account is automatically changed periodically without any interaction from the administrator. A service account is a user account that is created to run a particular service or software.

Read On
What is the difference between MSA and gMSA? ›

This type of managed service account (MSA) was introduced in Windows Server 2008 R2 and Windows 7. The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers.

Explore More
How do I create a group managed service account in AD? ›

To create a gMSA using the New-ADServiceAccount cmdlet

On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar. At the command prompt for the Windows PowerShell, type the following commands, and then press ENTER. (The Active Directory module will load automatically.)

Keep Reading
What is the difference between service account and user account? ›

User accounts are used by real users, service accounts are used by system services such as web servers, mail transport agents, databases etc. By convention, and only by convention, service accounts have user IDs in the low range, e.g. < 1000 or so. Except for UID 0, service accounts don't have any special privileges.

Read On

How do I create a standalone managed service account? ›

To create a standalone managed service account which is linked to a specific computer, use the RestrictToSingleComputer parameter. The Group in Group Managed Service Account (gMSA) stands for the ability to assign one gMSA to a group of computers. The sMSA instead was tied to a single computer.

Discover More
Can a gMSA be a domain admin? ›

This GMSA is a member of the domain Administrators group which has full AD & DC admin rights to the domain.

See More
Where are gMSA accounts stored? ›

Group Managed Service Account Security

The usage of gMSAs involves a computer account in Active Directory (the one where the gMSA is installed) being able to query the password information when the account is to be leveraged. The gMSAs are a specific object type in Active Directory, msDS-GroupManagedServiceAccount.

See Details
What is KDS root key? ›

KDS root keys are stored in Active Directory in container "CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=<forest name>". They have an attribute msKds-DomainID that links to the computer account of the Domain Controller that created the object.

Continue Reading
Should service accounts be domain admins? ›

While a service account rarely requires Domain Admin level rights, they often are over-privileged as an easy way to overcome any potentially unforeseen operation challenges that may impact service continuity.

Tell Me More
Why service account is required? ›

A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: Running workloads on virtual machines (VMs).

View More
Can a managed service account run a scheduled task? ›

Managed Service Account (MSA) is a special type of Active Directory account that can be used to securely run services, applications, and scheduled tasks. The basic idea is that the password for these accounts is completely managed by Active Directory.

Get More Info
What is an advantage of the managed service account type? ›

Benefits of Managed Service Accounts

Automatic password management. Simplified service principal name (SPN) management. Cannot be used to interactively log into Windows. Easily control which computers are authorized authenticate MSAs and run code in their context.

Discover More
Can a service account have an email address? ›

The service account is used as the identity of the application, and the service account's roles control which resources the application can access. A service account is identified by its email address, which is unique to the account.

Learn More
Do service accounts have passwords? ›

Service accounts differ from normal user accounts in multiple ways: They don't have a password and can't be used for browser-based sign-in. They're created and managed as a resource that belongs to a Google Cloud project. In contrast, users are managed in a Cloud Identity or Google Workspace account.

Read On

Can a gMSA be added to a group? ›

Add gMSA as a local administrator on the GroupID 9 machine. Next, run the GroupID Configuration Tool to run GroupID services under gMSA. To do so: Launch the GroupID Configuration Tool from the Windows Start screen or from GroupID Management Console (Configurations node > Configure GroupID).

Read On
What is a standalone managed service account? ›

Standalone managed service accounts (sMSAs) are managed domain accounts that you use to help secure one or more services that run on a server. They can't be reused across multiple servers.

Find Out More
What is the correct format of your service account email? ›

After you create a service account, you cannot change its name. The service account's name appears in the email address that is provisioned during creation, in the format SA_NAME @ PROJECT_ID . iam.gserviceaccount.com . Each service account also has a permanent, unique numeric ID, which is generated automatically.

Explore More
How do you check what permissions a service account has? ›

To see if a service account has access to a resource, call the getIamPolicy method on the target resource. For example, to view grants for a project, call the projects. getIamPolicy method." But to get organization level permissions, the service account do not have permission to do the API call.

Continue Reading
How do I know if my gMSA is enabled? ›

Verify the host is domain joined and can reach the domain controller. Install the AD PowerShell Tools from RSAT and run Test-ADServiceAccount to see if the computer has access to retrieve the gMSA. If the cmdlet returns False, the computer does not have access to the gMSA password.

View More
How do I add gMSA to my security group? ›

This can be done with the following command run in Active Directory Module for Windows PowerShell (“Add-KdsRootKey”).
  1. Step 1: Open ADM for PowerShell. ...
  2. Step 2: Create A Service Account. ...
  3. Step 3: Add Host Machine. ...
  4. Step 4: Confirm. ...
  5. Step 5: Install gMSA. ...
  6. Step 6: Connecting gMSA With A Service.
Mar 27, 2016

Show Me More
How do I find my KDS root key? ›

Viewing the KDS root key
  1. In Windows, launch the Active Directory Sites and Services tool. ...
  2. In the Active Directory Sites and Services tool, select the View tab.
  3. In the View menu, select Show Services Node.
  4. In the left pane, select Services > Group Key Distribution Service > Master Root Keys.

View More
Do service accounts need an o365 license? ›

A service account is a Microsoft 365 user account without a license; it is used for backup and restore operations. This type of account requires 3 permissions: Exchange administrator.

Discover More Details
Which type of service account has the most privileges? ›

Domain Administrative Accounts have privileged administrative access across all workstations and servers within the domain. While these accounts are few in number, they provide the most extensive and robust access across the network.

View Details
How do you harden a service account? ›

Active Directory Service Accounts Best Practices
  1. Keep access limited. ...
  2. Create service accounts from scratch. ...
  3. Don't put service accounts in built-in privileged groups. ...
  4. Disallow service account access to important objects. ...
  5. Remove unnecessary rights. ...
  6. Set access by using the “Log On To” feature. ...
  7. Limit time frames.
Nov 4, 2019

Learn More

How do I delete a group managed service account? ›

To delete a gMSA, locate it within your delegated OU and delete it. An OU administrator is required to perform this task. Go to the groups service, locate the group, and remove the NETID computer as a member. The last line should return False.

View More
What is ADServiceAccount install? ›

The Install-ADServiceAccount cmdlet installs an existing Active Directory managed service account on the computer on which the cmdlet is run. This cmdlet verifies that the computer is eligible to host the managed service account.

Read On
How does MsolService connect to PowerShell? ›

Connect to MSOnline Service

To connect to the Azure Active Directory Module for Windows PowerShell or MSOnline module, use the Connect-MsolService cmdlet and supply the $M365credentials variable.

Tell Me More
What is Microsoft key distribution service? ›

Key Distribution Center and Microsoft Active Directory#

Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain.

Learn More
How do I use setspn? ›

To add an SPN, use the setspn -s service/name hostname command at a command prompt, where service/name is the SPN that you want to add and hostname is the actual host name of the computer object that you want to update.

Learn More Now
How do I create a group managed service account in AD? ›

To create a gMSA using the New-ADServiceAccount cmdlet

On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar. At the command prompt for the Windows PowerShell, type the following commands, and then press ENTER. (The Active Directory module will load automatically.)

See More
How do I find a group managed service account? ›

To check it, Go to → Server Manager → Tools → Active Directory Users and Computers → Managed Service Accounts. The result should come “True” after running the second command, as shown in the screenshot given below.

Read The Full Story
Can a gMSA be a domain admin? ›

This GMSA is a member of the domain Administrators group which has full AD & DC admin rights to the domain.

Read On
What is an SPN example? ›

For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Discover More
How do I create a SPN record? ›

SPNs are registered for built-in accounts automatically. However, when you run a service under a domain user account, you must manually register the SPN for the account you want to use. To create an SPN, you can use the SetSPN command line utility.

Get More Info

How do I check if a SPN is registered? ›

Verify SPN has been successfully registered Using SETSPN Command Line Utility. In Command Line enter the following command: setspn -L <Domain\SQL Service Account Name> and press enter. Next, you need to look for registered ServicePrincipalName to ensure that a valid SPN has been created for the SQL Server.

See More
What is a KDS root key? ›

KDS root keys are stored in Active Directory in container "CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=<forest name>". They have an attribute msKds-DomainID that links to the computer account of the Domain Controller that created the object.

Find Out More
What is the key difference between a managed service account and a group managed service account? ›

What is the key difference between a managed service account and a group managed service account. A managed service account can be used on only one computer in a domain. Click on the container in Active Directory where group managed service accounts are created by default.

Learn More
How do I find my KDS root key? ›

Viewing the KDS root key
  1. In Windows, launch the Active Directory Sites and Services tool. ...
  2. In the Active Directory Sites and Services tool, select the View tab.
  3. In the View menu, select Show Services Node.
  4. In the left pane, select Services > Group Key Distribution Service > Master Root Keys.

Read On
Can a service account have an email address? ›

The service account is used as the identity of the application, and the service account's roles control which resources the application can access. A service account is identified by its email address, which is unique to the account.

Read On
How do I know if my gMSA is enabled? ›

Verify the host is domain joined and can reach the domain controller. Install the AD PowerShell Tools from RSAT and run Test-ADServiceAccount to see if the computer has access to retrieve the gMSA. If the cmdlet returns False, the computer does not have access to the gMSA password.

Know More
How do I create a standalone managed service account? ›

To create a standalone managed service account which is linked to a specific computer, use the RestrictToSingleComputer parameter. The Group in Group Managed Service Account (gMSA) stands for the ability to assign one gMSA to a group of computers. The sMSA instead was tied to a single computer.

Show Me More
Can a managed service account run a scheduled task? ›

Managed Service Account (MSA) is a special type of Active Directory account that can be used to securely run services, applications, and scheduled tasks. The basic idea is that the password for these accounts is completely managed by Active Directory.

Read The Full Story
Can a gMSA be added to a group? ›

Add gMSA as a local administrator on the GroupID 9 machine. Next, run the GroupID Configuration Tool to run GroupID services under gMSA. To do so: Launch the GroupID Configuration Tool from the Windows Start screen or from GroupID Management Console (Configurations node > Configure GroupID).

Read The Full Story
What is gMSA authentication? ›

Group Managed Service Accounts (gMSAs) provide a higher security option for non-interactive applications/services/processes/tasks that run automatically but need a security credential.

Know More
Top Articles
Is Nursing a Good Career? Five Signs It Suits You
MLOps Landscape in 2024: Top Tools and Platforms
Vectis Prime Build 2023 Guide - ProGameTalk
Warframe: Devstream #179 Overview
Latest Posts
Auto HDR deep-dive: How and why to use Windows 11's eye-catching game feature
The Average Time Most Americans Get to Work Is Pretty Surprising
Article information

Author: Prof. Nancy Dach

Last Updated:

Views: 5874

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Prof. Nancy Dach

Birthday: 1993-08-23

Address: 569 Waelchi Ports, South Blainebury, LA 11589

Phone: +9958996486049

Job: Sales Manager

Hobby: Web surfing, Scuba diving, Mountaineering, Writing, Sailing, Dance, Blacksmithing

Introduction: My name is Prof. Nancy Dach, I am a lively, joyous, courageous, lovely, tender, charming, open person who loves writing and wants to share my knowledge and understanding with you.