Service account migration to group managed service accout.

Harish Parameswaran 46 Reputation points
2022-02-09T02:18:16.567+00:00

Hi Readers, Beginner here.

I'm looking to migrate the existing service accounts to group managed service accounts.

will it affect the existing endpoint using the service associated with it?
will the endpoint using the application be able to automatically query the password once the gmsa is setup?

Please suggest a best way to go about it.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,288 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,436 Reputation points
    2022-02-09T15:20:36.66+00:00

    Hello HarishParameswaran,

    There is no specific "best practice" about this. It everything depends on the Service Accounts and what permissions they have and services are used for. The general recommendation is to audit the access of the accounts to be migrated to see if they are overprivileged, special permissions, manual ACL inclusions, etc.

    You can use different 3rd Party software such as Netwrix Auditor 9​ or Active Directory Service Credentials Manager to easily parse and examine that information. Though you could certainly achieve the same with several other tools, by yourself manually perusing the logs.

    I would also recommend some reading to the next article and subthreads explaining regarding the usage and adoption of gMSA accounts: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed

    -----------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments