gMSA not in default location

Fabian 261 Reputation points
2020-10-02T08:44:13.77+00:00

Hi

One of the Microsoft PFE advised me that a gMSA must be in the default location (CN=Managed Service Accounts,DC=contoso,DC=com) and not in OU (e.g. OU=gMSA,OU=Tier0,DC=contoso,DC=com) . Otherwise there would be problems with the KDS. This does not make sense to me, because this would prevent OU based delegations. I have not found any information that this is not supported.

Can anyone from MS confirm whether gMSA can be placed in another OU or not?

Greetings, fabian

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,560 questions
{count} votes

Accepted answer
  1. Suman Bhowmik 76 Reputation points
    2020-11-26T14:25:50.113+00:00

    Yes, you can keep gMSA in different OU.
    That should not cause any issue / auth failure.

    There was a known issue which is little bit close to your statement. GMSA authentication may report error if DCs are not in Domain Controllers OU.
    Here is the reference Doc / fix - https://support.microsoft.com/en-us/help/3094486/kds-doesn-t-start-or-kds-root-key-isn-t-created-in-windows-server-2012

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Leon Laude 85,566 Reputation points
    2020-10-02T09:15:25.95+00:00

    Hi @Fabian ,

    As far as I know there's no documentation stating where a gMSA should be located, however from personal experience they should be created in the default location, as also stated by your Microsoft PFE (who is also from Microsoft).

    Also if you check any guide out there they all use the default location, hope this helps!

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon