This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 36%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hi
One of the Microsoft PFE advised me that a gMSA must be in the default location (CN=Managed Service Accounts,DC=contoso,DC=com) and not in OU (e.g. OU=gMSA,OU=Tier0,DC=contoso,DC=com) . Otherwise there would be problems with the KDS. This does not make sense to me, because this would prevent OU based delegations. I have not found any information that this is not supported.
Can anyone from MS confirm whether gMSA can be placed in another OU or not?
Greetings, fabian
As additional information the PFE could not justify his recommendation as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 28.999999999999996%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIE%3C/text%3E%3C/svg%3E)
It is possible to create gMSA outside default container with New-ADServiceAccount and Path parameter with OU path in DN format
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 44%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Yes, you can keep gMSA in different OU.
That should not cause any issue / auth failure.
There was a known issue which is little bit close to your statement. GMSA authentication may report error if DCs are not in Domain Controllers OU.
Here is the reference Doc / fix - https://support.microsoft.com/en-us/help/3094486/kds-doesn-t-start-or-kds-root-key-isn-t-created-in-windows-server-2012
Hi @Fabian ,
As far as I know there's no documentation stating where a gMSA should be located, however from personal experience they should be created in the default location, as also stated by your Microsoft PFE (who is also from Microsoft).
Also if you check any guide out there they all use the default location, hope this helps!
----------
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Best regards,
Leon
Hi @Leon Laude
Thanks for your reply.
however from personal experience they should be created in the default location
Why?
What was your experience ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
I tried to find MS information about this , but no luck.
Following third party link for your reference:
https://support.imanami.com/hc/en-us/articles/360012292593-How-To-Configure-Group-Managed-Service-Account-for-GroupID
Please note: The given technical support contact information belongs to a third party and may vary without notice. Microsoft does not guarantee the information accuracy.
Best Regards,
Hi @Anonymous
Thansk for your reply, this confirms me in my opinion.
Best regards
Hi,
You are welcome!
Please let us know if you would like further assistance.
Best Regards,
