Windows Service account functionalities

Question

Windows Service account functionalities

G-ONE 166

Hello,

Couple of questions related with service accounts.

Q1: Can traditional service account (standard user account in Active Directory) be used in multiple computers where same/different services are deployed?

Q2: Can Group Managed service accounts be used for the service running on different servers which are not part of any cluster or server farm?

Please answer specifically to above mentioned questions with reference articles.

1 answer

Your answer

Answer 1

Fabian 261

Q1: Yes, it is a usual case e.g. Login to PC and to RDS or VDI at the same time. I think there is no article that commits exactly this case.
What is your concern?
Perhaps the better question is: Why would you do that?

Q2: Yes, this ist the advantage of gMSA over MSA. Add both computer to the PrincipalsAllowedToRetrieveManagedPassword property.

https://learn.microsoft.com/en-us/services-hub/health/kb-running-assessments-with-msas

Standalone Managed Service Accounts (also known as Virtual Accounts) can only be authorized to authenticate on a single domain joined computer.
Group Managed Service Accounts can be authorized to authenticate on several domain computers.

https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts

G-ONE 166 Reputation points

2020-09-25T00:39:03.277+00:00

Thanks for the reply.

Q1: If traditional service account (standard user account in Active Directory) can be used in multiple computers then how is this different from gMSA because gMSA is also used for multiple computers?

Q2: As you said, please explain with examples why would someone use traditional service account in multiple computers where same/different services are deployed?

Q3: As per Microsoft article, it says gMSA can be used for same service which are deployed on multiple cluster notes OR service which is hosted on server farm.
So does it mean that gMSA can not be used for different services hosted on different servers which does not belong to any server farm or cluster? So do I have to use traditional service account (user account in AD) for same/different services which are hosted on different servers which are not part of cluster or server farm?

Kindly explain and provide clarity on above mentioned questions.
Vicky Wang 2,736 Reputation points

2020-09-25T08:56:12.047+00:00

Hi，@G-ONE
Thank you for your update, because your question is a bit complicated and difficult, I may need some time to study, and I will give you the answer next week. Thank you for your understanding and support.
Best wishes
Vicky
Fabian 261 Reputation points

2020-09-25T09:17:31.667+00:00
Q1: As you can see in the first link, the gMSA differs from a classic user in the following:

Automatic password management, simplified service principal name (SPN) management

Cannot be used to interactively log into Windows

Easily control which computers are authorized authenticate MSAs and run code in their context

Q2: You should always prefer gMSA and personally I prefer different gMSA for each service on each computer to avoid dependencies. If the same identity is required, for example for a web server farm as described in the first link, you must use the same gMSA on different computers. But again there is no limitation, use as many gMSA as you can, so that each gMSA holds as least privileges as required. If a application do not support gMSA e.g. because interactive logon, a password input, run on a non windows or run on a non domain joined device is required, than you must use a legacy service account (aka normal user account).

Q3: Explained in Q2
G-ONE 166 Reputation points

2020-09-25T12:06:05.913+00:00

Thanks for the reply.

Problem scenario:

I have legacy service account (aka normal user account) which is being used in multiple computers by Identity Management tool for automatic provisioning of user account management and group management in Active Directory. Problem is if that account is locked out because of old password, automation task is failed and I have to manually provision the request and then update the latest password in source server which is causing account lockout.

Question:

According to above mentioned scenario, I just want to confirm is this feasible to deploy gMSA for each server where the same service is running under that legacy service account in order to avoid failure of automatic provisioning?

OR

Is there any alternative or better solution for the above described problem?

Please answer, explain and suggest the best solution.
Fabian 261 Reputation points

2020-09-26T10:47:46.86+00:00

Your described problem is a common problem when classic service accounts are distributed on different servers. When changing the password all services have to be stopped, the password has to be updated and started again.

gMSAs are made exactly for this. Create a gMSA for each service on each computer and the password change is fully automated. There are only very special situations where a service with the same gMSA needs to be run on different computers (e.g. web server farm, clusters) for usual services, scheduled taks, etc. this is not necessary.

Example:
gmsaComp1SvcA --> ServiceA on Computer1
gmsaComp1SvcB --> ServiceB on Computer1
gmsaComp2SvcA --> ServiceA on Computer2
gmsaComp2ScvB --> ServiceB on Computer2
G-ONE 166 Reputation points

2020-09-27T20:09:16.517+00:00

Thank you @Fabian for the reply.

Follow up questions:

Q1: Can I use same gMSA for same service distributed on multiple servers (which are not part of any server farm or cluster) ?

Q2: Can I use different gMSA for same service distributed on multiple servers (which are not part of any server farm or cluster) ?

Please reply specifically with explanation.
G-ONE 166 Reputation points

2020-09-29T12:03:59.583+00:00

@Fabian

Waiting for your reply.

Share via

Windows Service account functionalities

1 answer

Your answer