Support for group managed service accounts

Operations Manager supports group managed service accounts (gMSA). This article details the accounts used for gMSA and the procedures involved with gMSA support.

Note

The article provides information on how to use gMSA in operations manager, and doesn't include information on how to create these. For information on how to create gMSA accounts, see gMSA accounts.

Accounts used for gMSA

Currently, the Operations Manager uses the following accounts and services:

• Action Accounts
  • Default Action account-management server Action account
  • Agent Action account
  • GW Server Action account
  • Run as accounts
• System Center Configuration Service and System Center Data Access Service (needs to be a part of local administrators group).
• Data Reader account (for SSRS) must be a member of Operations Manager Report Security Administrators group.
• Data Warehouse Write account (for DW) must be a member of Operations Manager Report Security Administrators group.
• Agent Installation account
  • MSAA, by default, needs admin rights on the target computers.

Note

Group Managed Service Accounts (gMSAs) are not supported as a SQL report server service account for Data reader account.

To use gMSA, administrators must do the following:

Verify if managed service accounts can be used on the computer

Run the following PowerShell command for each gMSA account. If it returns True, then gMSA is ready to be used on the management server you selected.

Test-ADServiceAccount <gMSA_name>

Next steps

To use gMSA, do the following:

• Provide security rights

• Change databases

• Service level account changes

• Console level changes