Using Group Managed Service Accounts (gMSA) to set and forget the Service Accounts.

Question

Using Group Managed Service Accounts (gMSA) to set and forget the Service Accounts.

EnterpriseArchitect 6,346

Hi Everyone,

I have the requirement to use gMSA (Group Managed Service Accounts) to replace the statically assigned service account in my AD domain joined Servers that is already members of highly privileged groups like: Domain Admins, Enterprise Admins, etc...

I assume that any AD account that is running or used by the Windows or Application services can be replaced with this gMSA as it is very secure and no need to worry about writing down the password somewhere.

The normal service account is currently used by:

Azure AD Sync
ADFS
SQL Server

What's the best practice for when to use gMSA and when NOT to use gMSA ?

Thanks in advance.

Anonymous

2021-06-18T03:49:19.003+00:00

Hello @EnterpriseArchitect ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer accepted by question author

1 additional answer

Your answer

Anonymous

2021-06-18T03:49:19.003+00:00

Hello @EnterpriseArchitect ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 1

Leon Laude 86,101

Hi @EnterpriseArchitect ,

Microsoft has written on their official documentation a good text on when to use gMSAs and the benefits from using them:

Benefits of using gMSAs
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed#benefits-of-using-gmsas

When to use gMSAs
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed#when-to-use-gmsas

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Best regards,
Leon

EnterpriseArchitect 6,346 Reputation points

2021-06-11T07:29:54.3+00:00

Hi @Leon Laude ,

I assume with gMSA, we do not need to keep the password or even change it anymore?
Leon Laude 86,101 Reputation points

2021-06-11T07:31:58.727+00:00

Yes that's correct, there's no need for your administrators to manage the passwords any longer.
EnterpriseArchitect 6,346 Reputation points

2021-06-11T07:51:11.19+00:00

So how can I retype the gMSA service account password when I need to install another server and use the same gMSA ?

What's the steps?
Leon Laude 86,101 Reputation points

2021-06-11T07:59:01.543+00:00

Similar to managed service account, when you configure the gMSA with any service, leave the password as blank.

There are ways of retrieving the password though, here's one guide I found:
https://gist.github.com/NotMedic/e098ddef056fcea4288051e7d78a4618

Answer 2

Anonymous

Hello @EnterpriseArchitect ,

Thank you for posting here.

Hope the information provided by LeonLaude is helpful to you.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Share via

Using Group Managed Service Accounts (gMSA) to set and forget the Service Accounts.

1 additional answer

Your answer