Group Managed Service Accounts (GMSA) are a type of managed service account in Windows environments that enable services to run under a shared identity while keeping password management secure. Let’s take a look at the reasons why GMSAs are a good option and how to set them up.

Advantages of Using a GMSA

1. Centralized Password Management: GMSAs simplify password management by securely storing the account password in Active Directory, removing the need for manual updates and password rotations.
2. Improved Security: GMSAs provide increased security by reducing the exposure of account credentials on multiple systems, a common issue with traditional service accounts.
3. Easy Deployment: GMSAs make it easier to deploy services that run on multiple systems by allowing the use of a single identity for multiple services, eliminating the need for separate service account management on each system.
4. Enhanced Auditing: GMSAs allow for tracking and auditing of the shared identity usage for services, making it easier to identify any malicious activity.

How to Create a GMSA

The steps to create a GMSA in a Windows environment are as follows:

1. Verify requirements: Make sure the system is running at least Windows Server 2012 R2 and has the Active Directory Domain Services role installed on the domain controller.
2. Create GMSA account: Open the Active Directory Administrative Center and go to the Managed Service Accounts container. Right-click and select “New” and then “Group Managed Service Account”. Complete the wizard to create a new GMSA account.
3. Install GMSA on target systems: On each system where the GMSA is to be used, install the GMSA account using Windows PowerShell by running the following command: Add-KdsRootKey -EffectiveImmediately.
4. Assign GMSA to service: After the GMSA has been installed on the target systems, assign it to the service by editing the service properties and selecting the “Log On” tab. Choose the GMSA account from the list of available accounts.

Group managed service accounts provide a secure and efficient way to handle service identities in a Windows environment. By centralizing password management and reducing the exposure of account credentials, GMSAs can improve the security of services and simplify deployment.