gMSA (Group Managed Service Accounts) are a secure and practical identity solution from Microsoft where services can be configured to use the gMSA principal and password management is handled by Windows - you don't need to worry about expired passwords anymore.
gMSAs are the superior option when it comes to security and flexibility. It should always be used, when possible, instead of user accounts, MSAs, security principals, service accounts (with manually managed passwords) and any other on-premises identity types.
Multiple servers - Services and tasks can be set and run across multiple servers, a necessity given the modern state of organizations today
Automated password management - Passwords are automatically generated, rotated and handled by the OS
Passwords are handled by the OS - When applications require a password, they query Active Directory. No human knows the password to that, making it much harder to be compromised
You can delegate management to other administrators - Having the flexibility to delegate management can be incredibly helpful for ensuring there isn't just a single admin responsible for your service account security
Support - The application/service must support gMSAs
AD domain and forest functional level - Windows Server 2012 or newer
KDC - Domain controller with Microsoft Key Distribution Service (KdsSvc) enabled
PowerShell - To create and manage service AD accounts, you need to install the Active Directory module for Windows PowerShell
Supported Windows versions - Windows Server 2012/Windows 8 or newer
Services set up without gMSAs - Rebuilding or changing the service account in applications that already set up and running (e.g. Data Protection Manager, Azure AD Sync) might break these applications, so a full re-install might be necessary to use gMSAs instead of a simple user change
A one-time operation must be performed to create a KDS root key. Do the following:
Login to your DC (Domain Controller) | run the PowerShell command:
Add-KdsRootKey –EffectiveImmediately
Ensure the key has been created succesfully by running the following PowerShell:
Get-KdsRootKey
Login to your DC | run the PowerShell command:
New-ADServiceAccount [-Name] <string> -DNSHostName <string> [-KerberosEncryptionType <ADKerberosEncryptionType>] [-ManagedPasswordIntervalInDays <Nullable[Int32]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>] [-SamAccountName <string>] [-ServicePrincipalNames <string[]>]
Here's how you should fill out each of the bracketed parameters:
Name: The name of your account
DNS Host Name: The DNS hostname of the service
Kerberos Encryption Type: The encryption type supported by the host servers
Managed Password Internal In Days: How often you want the password to be changed (by default this is 30 days -- remember, the change is handled by Windows)
* note: This cannot be changed after the gMSA is created. To change the interval, you'll need to create a new gMSA and set a new interval.
Principals Allowed To Retrieve Managed Password: These can be the accounts of member hosts, or if there is a security group that member hosts are a part of, you would enter them here.
Sam Account Name: This is the NetBIOS name for the service if it's different from the account name.
Service Principal Names: This is a list of the Service Principal Names (SPNs) for the service)
The final command could look like this:
New-ADServiceAccount -name gMSAAccount1 -DNSHostName gMSAAccount1.sydney.ssw.com.au -PrincipalsAllowedToRetrieveManagedPassword gMSAAccount1GroupWithComputerAccountsIn –verbose
Login to the target server | run the PowerShell command to install the Active Directory PowerShell module:
Add-WindowsFeature RSAT-AD-PowerShell
Run the PowerShell command to install the gMSA on the server:
Install-ADServiceAccount -Identity gMSAAccount1
Check if the gMSA is isntalled correctly:
Test-ADServiceAccount gMSAAccount1
If the command returns True, everything is configured correctly.
You can read more about gMSAs here: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview?WT.mc_id=ES-MVP-33518