You can administer group Managed Service Accounts (gMSAs) with Active Roles. gMSA is a domain security principal whose password is managed by Domain Controllers (DCs) and can be retrieved by multiple systems running supported Windows Server operating systems. Having Windows services use gMSA as their login account minimizes the administrative overhead by enabling Windows to handle password management for service accounts. gMSAs provide the same functionality as Managed Service Accounts (MSAs), but extend that functionality over multiple servers.
As you can use a single gMSA on multiple servers, gMSA provides a single identity solution for services running on a server farm. With a service hosted on a server farm, gMSA enables all service instances to use the same logon account (which is a requirement for mutual authentication between the service and the client), while letting Windows change the account password periodically instead of relying on the administrator to perform that task.
For more information about group Managed Service Accounts, see Group Managed Service Accounts Overview.
The Active Directory domain in which you are going to create and administer group Managed Service Accounts must meet the following requirements:
-
The domain has an least one Domain Controller (DC) that runs Windows Server 2016 or newer.
-
The domain has the KDS Root Key created.
You can create a KDS Root Key by running the Add-KDSRootKey PowerShell command on the DC. For more information, see at Create the Key Distribution Services KDS Root Key for further details.
NOTE: You cannot perform Exchange-related operations on the on-premises Exchange Server environment with the gMSA account. For example, you cannot manage remote mailboxes, user mailboxes, or contacts.
Perform the following steps in the Active Roles Console to create a group Service Managed Account (gMSA).
To create a gMSA
-
Right-click the OU or container in which you want to create a gMSA and select New > Group Managed Service Account.
-
In the wizard that opens, complete following fields:
-
Name: Specifies the name of the gMSA in Active Directory.
-
Description: Specifies a description of the gMSA.
-
DNS host name: Specifies the DNS hostname. Typically, this is the fully qualified domain name of the server on which you will use the gMSA, for example your-organization.domain.com.
-
Account name (pre-Windows 2000): Specifies the legacy login name of the gMSA (sAMAccountName). Typically, the value of this setting is the same as the name of the gMSA.
-
Password change interval (days): Specifies the number of days before the managed password is automatically changed for the gMSA.
NOTE: You can configure this setting only when creating the gMSA. After creating the gMSA, this setting will be read-only.
-
Computers or groups: Specifies the computers on which the gMSA can be used to run services. You can add individual computers to this field, or you can add computers to a security group, then add the group to this field.
For an existing group Managed Service Account (gMSA), perform the following steps in the Active Roles Console to view or change the properties of the gMSA.
To view or change the properties of the gMSA, right-click the gMSA you want to administer and click Properties.
This opens the Properties dialog containing the same fields as the gMSA creation wizard (see Creating a gMSA) with the only difference that the Password change interval field is read-only. In addition, the Account is disabled check box on the Account page shows whether the gMSA is disabled for login, and allows you to disable and re-enable the gMSA.