Group Managed Service Accounts
Чланак 06/25/2024
2 сарадника
Повратне информације
У овом чланку
A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Microsoft Entra Cloud Sync supports and uses a gMSA for running the agent. You can choose to allow the installer to create a new account or specify a custom account. You'll be prompted for administrative credentials during setup, in order to create this account or set permissions if using a custom account. If the installer creates the account, the account appears as domain\provAgentgMSA$
. For more information on a gMSA, see group Managed Service Accounts .
Prerequisites for gMSA
The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
PowerShell RSAT modules on a domain controller.
At least one domain controller in the domain must be running Windows Server 2012 or later.
A domain joined server where the agent is being installed needs to be either Windows Server 2016 or later.
Permissions set on a gMSA account (ALL permissions)
When the installer creates the gMSA account, it sets ALL of the permissions on the account. The following tables detail these permissions
MS-DS-Consistency-Guid
Type
Name
Access
Applies To
Allow
<gmsa account>
Write property mS-DS-ConsistencyGuid
Descendant user objects
Allow
<gmsa account>
Write property mS-DS-ConsistencyGuid
Descendant group objects
If the associated forest is hosted in a Windows Server 2016 environment, it includes the following permissions for NGC keys and STK keys.
Type
Name
Access
Applies To
Allow
<gmsa account>
Write property msDS-KeyCredentialLink
Descendant user objects
Allow
<gmsa account>
Write property msDS-KeyCredentialLink
Descendant device objects
Password Hash Sync
Type
Name
Access
Applies To
Allow
<gmsa account>
Replicating Directory Changes
This object only (Domain root)
Allow
<gmsa account>
Replicating Directory Changes All
This object only (Domain root)
Password Writeback
Type
Name
Access
Applies To
Allow
<gmsa account>
Reset Password
Descendant User objects
Allow
<gmsa account>
Write property lockoutTime
Descendant User objects
Allow
<gmsa account>
Write property pwdLastSet
Descendant User objects
Allow
<gmsa account>
Unexpire Password
This object only (Domain root)
Group Writeback
Type
Name
Access
Applies To
Allow
<gmsa account>
Generic Read/Write
All attributes of object type group and subobjects
Allow
<gmsa account>
Create/Delete child object
All attributes of object type group and subobjects
Allow
<gmsa account>
Delete/Delete tree objects
All attributes of object type group and subobjects
Exchange Hybrid Deployment
Type
Name
Access
Applies To
Allow
<gmsa account>
Read/Write all properties
Descendant User objects
Allow
<gmsa account>
Read/Write all properties
Descendant InetOrgPerson objects
Allow
<gmsa account>
Read/Write all properties
Descendant Group objects
Allow
<gmsa account>
Read/Write all properties
Descendant Contact objects
Exchange Mail Public Folders
Type
Name
Access
Applies To
Allow
<gmsa account>
Read all properties
Descendant PublicFolder objects
UserGroupCreateDelete (CloudHR)
Type
Name
Access
Applies To
Allow
<gmsa account>
Generic write
All attributes of object type group and subobjects
Allow
<gmsa account>
Create/Delete child object
All attributes of object type group and subobjects
Allow
<gmsa account>
Generic write
All attributes of object type user and subobjects
Allow
<gmsa account>
Create/Delete child object
All attributes of object type user and subobjects
Using a custom gMSA account
If you're creating a custom gMSA account, the installer will set the ALL permissions on the custom account.
For steps on how to upgrade an existing agent to use a gMSA account see group Managed Service Accounts .
For more information on how to prepare your Active Directory for group Managed Service Account, see group Managed Service Accounts Overview .
Next steps