Group Managed Service Accounts - Cross Domain - Cross Forest

Question

Chrisagardner63 1

Working with GMSA's.

We have a mult-Forest, multi-Domain environment.

I am having problems finding, understanding the following, making sure I am not doing something wrong.

Can I create a GMSA in the Forest Root and have servers in the Child Domains set for password retrieval? My testing is telling me no.

If I create a GMSA in Forest A, can a server in Forest B (Two-Way Trust) be set for password retrieval for the GMSA in Forest A?

The documentation I have found with Microsoft doesn't address this.

2 answers

Answer 1

Thank you for posting here.

After my research, we can see Gmsa is domain-wide.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hawk Zhang 0 Microsoft External Staff

Hi guys,

I had the same question these days. After investigation through the updated document. I found a huge update of the scope of gMSA.

It turns out that "Use of the gMSA is scoped to any machine that is able to use LDAP to retrieve the gMSA's credentials.".

So, it'll work even across bi-directional trust forests now.

Broonster 51 Reputation points

2024-11-11T05:14:32.2666667+00:00

So how do install the GMSA on a server in the child domain if the GMSA itself exists in the parent domain?
Broonster 51 Reputation points

2024-11-11T05:17:05.7333333+00:00

So how do install the GMSA on a server in a child domain if the GMSA is hosted in the parent domain? When I try to do it I get an error.
Broonster 51 Reputation points

2024-11-11T05:17:28.0633333+00:00

So how do install the GMSA on a server in a child domain if the GMSA is hosted in the parent domain? When I try to do it I get an error.