Επεξεργασία

Κοινή χρήση μέσω


Group Managed Service Accounts

A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Microsoft Entra Cloud Sync supports and uses a gMSA for running the agent. You can choose to allow the installer to create a new account or specify a custom account. You'll be prompted for administrative credentials during setup, in order to create this account or set permissions if using a custom account. If the installer creates the account, the account appears as domain\provAgentgMSA$. For more information on a gMSA, see group Managed Service Accounts.

Prerequisites for gMSA

  • The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
  • PowerShell RSAT modules on a domain controller.
  • At least one domain controller in the domain must be running Windows Server 2012 or later.
  • A domain joined server where the agent is being installed needs to be either Windows Server 2016 or later.

Permissions set on a gMSA account (ALL permissions)

When the installer creates the gMSA account, it sets ALL of the permissions on the account. The following tables detail these permissions

MS-DS-Consistency-Guid

Type Name Access Applies To
Allow <gmsa account> Write property mS-DS-ConsistencyGuid Descendant user objects
Allow <gmsa account> Write property mS-DS-ConsistencyGuid Descendant group objects

If the associated forest is hosted in a Windows Server 2016 environment, it includes the following permissions for NGC keys and STK keys.

Type Name Access Applies To
Allow <gmsa account> Write property msDS-KeyCredentialLink Descendant user objects
Allow <gmsa account> Write property msDS-KeyCredentialLink Descendant device objects

Password Hash Sync

Type Name Access Applies To
Allow <gmsa account> Replicating Directory Changes This object only (Domain root)
Allow <gmsa account> Replicating Directory Changes All This object only (Domain root)

Password Writeback

Type Name Access Applies To
Allow <gmsa account> Reset Password Descendant User objects
Allow <gmsa account> Write property lockoutTime Descendant User objects
Allow <gmsa account> Write property pwdLastSet Descendant User objects
Allow <gmsa account> Unexpire Password This object only (Domain root)

Group Writeback

Type Name Access Applies To
Allow <gmsa account> Generic Read/Write All attributes of object type group and subobjects
Allow <gmsa account> Create/Delete child object All attributes of object type group and subobjects
Allow <gmsa account> Delete/Delete tree objects All attributes of object type group and subobjects

Exchange Hybrid Deployment

Type Name Access Applies To
Allow <gmsa account> Read/Write all properties Descendant User objects
Allow <gmsa account> Read/Write all properties Descendant InetOrgPerson objects
Allow <gmsa account> Read/Write all properties Descendant Group objects
Allow <gmsa account> Read/Write all properties Descendant Contact objects

Exchange Mail Public Folders

Type Name Access Applies To
Allow <gmsa account> Read all properties Descendant PublicFolder objects

UserGroupCreateDelete (CloudHR)

Type Name Access Applies To
Allow <gmsa account> Generic write All attributes of object type group and subobjects
Allow <gmsa account> Create/Delete child object All attributes of object type group and subobjects
Allow <gmsa account> Generic write All attributes of object type user and subobjects
Allow <gmsa account> Create/Delete child object All attributes of object type user and subobjects

Using a custom gMSA account

If you're creating a custom gMSA account, the installer will set the ALL permissions on the custom account.

For steps on how to upgrade an existing agent to use a gMSA account see group Managed Service Accounts.

For more information on how to prepare your Active Directory for group Managed Service Account, see group Managed Service Accounts Overview.

Next steps