Share via

gMSA not in default location

Fabian 261 Reputation points
2020-10-02T08:44:13.77+00:00

Hi

One of the Microsoft PFE advised me that a gMSA must be in the default location (CN=Managed Service Accounts,DC=contoso,DC=com) and not in OU (e.g. OU=gMSA,OU=Tier0,DC=contoso,DC=com) . Otherwise there would be problems with the KDS. This does not make sense to me, because this would prevent OU based delegations. I have not found any information that this is not supported.

Can anyone from MS confirm whether gMSA can be placed in another OU or not?

Greetings, fabian

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
Accepted answer
  1. Suman Bhowmik 76 Reputation points
    2020-11-26T14:25:50.113+00:00

    Yes, you can keep gMSA in different OU.
    That should not cause any issue / auth failure.

    There was a known issue which is little bit close to your statement. GMSA authentication may report error if DCs are not in Domain Controllers OU.
    Here is the reference Doc / fix - https://support.microsoft.com/en-us/help/3094486/kds-doesn-t-start-or-kds-root-key-isn-t-created-in-windows-server-2012

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leon Laude 85,726 Reputation points
    2020-10-02T09:15:25.95+00:00

    Hi @Fabian ,

    As far as I know there's no documentation stating where a gMSA should be located, however from personal experience they should be created in the default location, as also stated by your Microsoft PFE (who is also from Microsoft).

    Also if you check any guide out there they all use the default location, hope this helps!

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon