Sunday, August 27, 2017

Group Managed Service Accounts

  • Supported from Server 2012
    • MSA's support started from Server 2008 R2.
  • Supports running scheduled tasks as well as services.
  • Has 120 characters long password.
  • The password is automatically reset every 30 days by default.
  • MSA is local to the machine while gMSA is global (domain wide) and shared with multiple machines in the same domain.
    • gMSA's Passwords are managed at Key Distribution Service (KDS) on Windows Server 2012 DCs.
  • AD schema needs to be upgraded to 2012.
    • No forest or functional level requirement.
Reference