Creating_a_gMSA
Creating a gMSA
Perform the following steps in the Active Roles console to create a group Service Managed Account (gMSA).
To create a gMSA
- Right-click the OU or container in which you want to create a gMSA and select New | Group Managed Service Account.
- In the wizard that opens, complete following fields:
- Name Specifies the name of the gMSA in Active Directory.
- Description Specifies a description of the gMSA.
- DNS host name Normally, you should supply the fully qualified domain name of the server on which you are going to use this gMSA. For example,
ITFarm1.domain.com.
- Account name (pre-Windows 2000) Specifies the legacy logon name of the gMSA (sAMAccountName). Normally, this setting is identical to the name of the gMSA.
- Password change interval (days) Specifies the number of days before a managed password is automatically changed for the gMSA. This setting can be modified only upon account creation. After the gMSA is created, this setting is read-only.
- Computers or groups Specifies the computers on which the gMSA can be used to run services. You can add individual computers to this field, or you can add computers to a security group and then add the group to this field.
Managing_properties_of_a
Managing properties of a gMSA
For an existing group Managed Service Account (gMSA), perform the following steps in the Active Roles console to view or change the properties of the gMSA.
To view or change the properties of the gMSA
- Right-click the gMSA you want to administer and click Properties.
This opens the Properties dialog box containing the same fields as the gMSA creation wizard (see Creating a gMSA) with the only difference that the Password change interval field is read-only. In addition, the Account is disabled check box on the Account page shows whether the gMSA is disabled for logon, and allows you to disable and re-enable the gMSA.
Searching_for_gMSA_in_th
Searching for gMSA in the directory
The Active Roles console allows you to find group Managed Service Accounts that meet your search conditions.
To search for gMSA in the directory
- Right-click the OU, domain or container in which you want to search for gMSA and click Find.
- In the Find window that opens, configure and start your search:
- In the Find list, click Custom Search.
- Click the Field button, and select the msDS-GroupManagedServiceAccount object type and the object property to search for.
- Configure and add the desired search condition for the object property you have selected.
- If needed, add more search conditions by repeating Steps b and c.
- Click Find Now.
In the list of search results, right-click a gMSA and use the shortcut menu to perform management tasks. For example, you can right-click a gMSA and then click Properties to view or change the properties of the gMSA.
Disabling_or_re_enabling
Disabling or re-enabling a gMSA
The Active Roles console allows you to disable a gMSA so that the gMSA cannot be used for logon. For a disabled gMSA, you can use the console to re-enable that gMSA.
To disable or re-enable a gMSA
- Right-click the gMSA you want to administer and click Properties.
- In the Properties dialog box, click the Account tab, and examine the Account is disabled check box:
- If the check box is not selected, then the gMSA is enabled for logon. You can disable the gMSA by selecting the Account is disabled check box.
- If the check box is selected, then the gMSA is disabled. You can re-enable the gMSA by clearing the Account is disabled check box.
Alternatively, you can use the Disable Account or Enable Account command on the gMSA object to disable or re-enable the gMSA.
