Group Managed Service Accounts

As already explained in the article about ADFS 3.0, Windows Server 2010 supports Group Managed Service Accounts (GMSA) are supported under Windows Server 2012. The passwords of these accounts are automatically generated by the AD. In this article I am going to describe which scenarios can be solved with GMSA, which applications are possible and how GSMA is implemented.

A lot of applications on Windows platforms are based on services. A great part of these services needs special permission on resources. and get these via the associated service accounts. For example: if you want writing access to the Active Directory, you have to create an AD account for that and grant writing permissions.
 

Setting up a “standard” service account

We are now going to set up a service account. It will receive extensive permissions in the AD and on all machines on which the service will run.
And the account gets a secure but of course non-expiring password.  
 

Problem 1: We can not set up the account by ourselves

In case we cannot set up the service user by ourselves, we do need the password. It should be communicated securely (for example on a paper note which will be thrown away afterwards or via an encrypted mail).

All of that is probably a nightmare for every security officer who of course encourages employees to change passwords regularly and tries to prevent the communication of passwords via email.  
 

Problem 2: Replace server and password no longer known

It is also really bad when a server has to be replaced and the password for the installation of the service is no longer known.

But if you change the password, you have to do that on all other servers, on which the service runs, too.
(You can already be really pride of yourself if you still know where the account is in use.) 
 

Managed Service Accounts with Windows Server 2008R2 / 2012

Windows Server 2008 – Managed Service Accounts

For those reasons, Microsoft introduced Managed Service Accounts with Server 2008R2.

However, they are not really popular, because they were limited to only one machine (making cluster-services impossible). And the second reason might be, that they were supported by only a very few applications. 
 

Windows Server 2012 – Group Managed Service Accounts

That changed with the introduction of „Group Managed Service Accounts“ (GMSA) with Server 2012. They are connected to groups of computers and thus function on multiple servers for the same service, enabling cluster-service.

One of their main features is the system creating their passwords automatically and changing them regularly. Moreover, the password does not have to be entered anywhere manually.
 

Requirements

At least one domain controller with Server 2012 or higher.
All servers on which GMSAs are to be used, need an installation of Server 2012 (Windows 8 for work stations) or higher.
 

Application of Group Managed Service Accounts

All actions concerning GMS-accounts have to be performed via Powershell commands!
Before you use it for the first time, you have to create a one-time “Root-Key”.

Add-KDSRootKey –EffectiveImmediately

“EffectiveImmediately” means that the new key is working on the spot.

Afterwards, the actual GSMA is created:

New-ADServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group> -ServicePrincipalNames <SPN1,SPN2,…>

• Name: unambiguous name of the account
• DNSHostName: FQDN under which the service can be reached
• PrincipalsAllowedToRetrieveManagedPassword: Computer or group of computers which the service-account can use
• ServicePrincipalNames: “Service Principal Names” of the service.

Example:

GSMA has to be installed on each server you want to use it:

Install-AdServiceAccount <gMSA>

Checking the GSMA

Test-AdServiceAccount <gMSA>

The account can be added to a service just like any other account. But please remember to leave the password box empty and append a “$” to the account-name.

Should you have questions about our services, please do not hesitate to contact us. 

Other sources for the article: Technet