Group Managed Service Accounts (GMSA – Group Managed Service Accounts), Microsoft Active DirectoryIt is an advanced version of Managed Service Accounts (MSA), which is a feature of (AD).
In today's rapidly changing world of technology, security is more of a priority than ever. That's where Group Managed Service Accounts (GMSA – Group Managed Service Accounts) stands out as an innovative solution offered by Microsoft Active Directory to fill critical gaps in network security. GMSA's are designed to meet advanced security and automation needs, thus providing significant advantages to IT professionals.
This feature was first Windows Server 2012It was introduced in . GMSA's are designed specifically for services and applications that require automated and secure password management. Designed for services that run on a network, these accounts are especially useful when services need to run with load balancing across multiple servers.
Table of Contents
What is gMSA?
GMSA (Group Managed Service Accounts) is an account type that Microsoft developed as a step-by-step addition to Managed Service Accounts (MSA). Windows Server 2012 These accounts, which have entered our lives with , are designed to ensure that services and applications operate securely and smoothly on multiple servers.
gMSA Advantages
- Automatic Password Management: GMSAPerhaps the biggest advantage of 's is automatic password changes. While traditional service accounts require manual password updates at regular intervals, GMSA's completely automate this process. Active Directory generates strong passwords for these accounts and changes them at regular intervals. This feature eliminates human error and reduces the risk of security breaches.
- Using Multiple Servers: GMSA's allow one account to be used on multiple servers. This is ideal for applications that require scalability and load balancing. The ability to log in to multiple instances of one account is a great solution for large, distributed systems.
- Central management: All GMSAs can be centrally managed via Active Directory. This allows IT departments to control, monitor, and report on accounts more effectively. Centralized management also provides greater opportunities for policy-based management and automation.
- SPNs Management: AD environments with gMSA SPN (Service Principal Names) management becomes more convenient.
gMSA Requirements
Group Managed Service Accounts There are certain prerequisites that must be met to use (GMSA). These requirements are important to ensure that GMSAs operate and are managed properly:
- Active Directory InfrastructureGMSAs are supported by Active Directory Domain Services (AD DS), so you must have an Active Directory forest and domain.
- Windows Server EditionTo create and manage GMSAs, you need a Domain Controller running at least Windows Server 2012 or later at the forest level.
- New attributes have been added for gMSA that comes with Server 2012:
- msDS-GroupMSAMembership
- msDS-ManagedPassword
- msDS-ManagedPasswordInterval
- msDS-ManagedPasswordID
- msDS-ManagedPasswordPreviousID
- Schema Requirements: Active Directory schema must be updated to support GMSAs. Schema updates included with Windows Server 2012 or later are required.
- KDS Root Key: The Key Distribution Service (KDS) root key, which is used to generate passwords for Group Managed Service Accounts, must be installed. Starting with Windows Server 2012, this key is automatically generated in AD DS.
- PowerShell: PowerShell cmdlets are used to manage GMSAs, so it is important to be familiar with these cmdlets and be able to use them.
Group Managed Service Accounts How is (gMSA) Created?
Group Managed Service Accounts (GMSAs) are a technology that simplifies and strengthens these protocols. Creating GMSAs enables organizations to run their services securely.
1. Fulfillment of Prerequisites: Before creating a GMSA, ensure that your Active Directory schema is up to date and that the required KDS root key is present. You will also need access to a Domain Administrator account.
Creating KDS Root Key: If it has not been created yet, Key Distribution ServiceYou need to create a root key for s. This can be done using PowerShell with the following cmdlet:
Under normal circumstances, you need to wait 10 hours for the KDS Root key, for this article we will use the command that is effective immediately.
Add-KDSRootKey –EffectiveTime (Get-Date).AddHours(-10)

gMSA Creating a Group for: gMSA We need to create a group for the computer accounts that will use the account. We can do this with Powershell or ADUC you can use.
Active Directory Users and Computers (ADUC) right click on the OU for which we will create a group and follow the steps New - Group. The group we will create will be Global Security.

Then, we need to make the computer accounts to be used as group members from the Members section.

Creating a Security Group with Powershell:
New-ADGroup -DisplayName GMSAGruopDisplayName -GroupScope Global -GroupCategory Security -Name GMSAGroupName
Steps to add group members with Powershell:
Add-ADGroupMember -Identity GMSAGroupName -Members "Eklenmesi Gereken Bilgisayar"
Creation of GMSA: To create a GMSA, New-ADServiceAccount We will use the PowerShell cmdlet.
New-ADServiceAccount -Name GMSA_Adi -DNSHostName GMSA.contoso.com -PrincipalsAllowedToRetrieveManagedPassword "GrupAdi"

This command creates a GMSA where a specific group of servers are allowed to retrieve the password.
When we open the Managed Service Accounts section in the Active Directory Users and Computers section, we can see the gMSA account we created.

Introducing gMSA Account to Server:
To use GMSA on a server, you must first add the account to that server. Install-ADServiceAccount You can perform this operation with the cmdlet, and for this operation the relevant server The Active Directory Powershell module must be installed.
You can run the following command on Powershell to install the Active Directory Powershell Module.
Add-WindowsFeature RSAT-AD-PowerShell
Using GMSA on a Server: To use GMSA on a server, you must first add the account to that server. Install-ADServiceAccount You can do this with the cmdlet:
Install-ADServiceAccount GMSA_Adi
You can use the command below to test whether the file you have installed has been installed or not.
Test-ADServiceAccount GMSA_Adi
In this article, we talked about the GMSA creation processes. If you need to perform NTP synchronization in your Active Directory environment, you can follow the article below.
https://cengizyilmaz.net/domain-controller-saat-senkronizasyonu-ntp-sync/
2 comments on “What is GMSA (Group Managed Service Accounts) and How to Configure It?”