Managed Service Accounts, gMSA and Active Directory
- One of the more interesting new features of Windows Server 2008 R2 and Windows 7 is Managed Service Accounts.
- MSA’s allow you to create an account in Active Directory that is tied to a specific computer.
- That account has its own complex password and is maintained automatically. This means that an MSA can run services on a computer in a secure and easy to maintain manner, while maintaining the capability to connect to network resources as a specific user principal.
- Active Directory is a service used for discovery, search and replication of user, computer, and service account information on Windows.
- Active Directory Domain Services provide a Windows Active Directory domain(s) used to authenticate computers and users.
- Devices are domain-joined when they are a member of Active Directory domain. Domain-joined is a device state which not only provides the device with a domain computer identity, but also lights up various domain-joined services.
- Group Managed Service Accounts , often abbreviated as gMSA, are a type of Active Directory account that makes it easy to secure services using Active Directory without sharing a password. Multiple machines or containers share the same gMSA as needed to authenticate connections between services.
CredentialSpec PowerShell Module – This module is used to configure Group Managed Service Accounts to be used with containers. The script module and example steps are available at windows-server-container-tools, see ServiceAccount
- Create a gMSA
- Configure the service to run under (as) the gMSA domain identity
- Give the domain-joined host running the service access to the gMSA secrets in Active Directory
- Allow access to gMSA on the other service such as a database or file Shares
- One may also need to grant the gMSA membership in a local group (like Administrators, or Backup Operators) so it has the necessary rights to accomplish the task.
Leave a Reply