Share via

Is it possible to change the time window when a GMSA account password is rotated every 30 days

Murali Kumar 65 Reputation points
2025-05-28T06:13:29.1266667+00:00

Hi

I am aware that for Group Managed Service Accounts (gMSA), the Active Directory rotates password every 30 days by default. I am trying to find some info on

  1. How is the time window for that password rotation determined (either precise timing or rough timing)
  2. If that password rotation time window can be changed

Basically, in our infrastructure, we are observing some problems with our application behaviour where application services are running using a gMSA account identity, and the problems happen precisely at the date & time when gMSA account password is being rotated by AD. We see Kerberos authentication failures for a duration of 1 to 10 min related to services running using gMSA account, happening every 30 days precisely at the time window when the password gets rotated by AD. Hence, i would like to change the time window of this password rotation to when the application is not in use (say 8 hours before or 8 hours after the current time when password gets rotated). Is it possible to achieve this?

Thanks

Murali

Windows for business | Windows Server | Directory services | Active Directory
0 comments
Accepted answer
  1. Chen Tran 1,035 Reputation points Independent Advisor
    2025-05-29T10:18:24.4166667+00:00

    Hello,

     Thank you for posting question on Microsoft Windows forum!

 The followings are the plausible explanation to address your below queries.

    1.For the question of How is the time window for that password rotation determined (either precise timing or rough timing).

    • The precise timing of the gMSA password rotation is largely managed internally by Active Directory and is tied to the msDS-ManagedPasswordInterval attribute of the gMSA object. While the default is 30 days, the exact time within that 30-day window when the rotation occurs is not something you can directly configure for a specific time of day.
    • The password derivation for gMSAs is deterministic, based on a secret stored in the KDS (Key Distribution Services) root key, and the msDS-ManagedPasswordID attribute of the gMSA, which includes a timestamp. This means that domain controllers can compute the current, previous, and future passwords at any given time.
    • For more information https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-read-gmsa/

    2.Regarding the question of If that password rotation time window can be changed.

    • Well! You can change the interval of the password rotation. However, you can not modify the specific time of day it happens.
    • To change the interval. When you create a new gMSA, you can specify the ManagedPasswordIntervalInDays parameter using the New-ADServiceAccount PowerShell cmdlet. Such as to set the interval to 60 days.
    • New-ADServiceAccount -Name "MyGMSA" -DNSHostName "MyGMSA.domain.local" -PrincipalsAllowedToRetrieveManagedPassword "MyComputer$" -ManagedPasswordIntervalInDays 60
    • However, it is important to keep in mind that the ManagedPasswordIntervalInDays parameter can only be set during the creation of the gMSA. You cannot change this attribute after the gMSA has been created. If you need to change the interval for an existing gMSA, you would essentially have to recreate the gMSA with the desired interval.
    • As mentioned above, the precise time within the rotation interval is managed internally by Active Directory and is not a configurable option. Hence, it is not feasible to change the precise time as you mentioned in your query.

    Hope the above explanation is informative!

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.