Managed Service Accounts, which were introduced in Windows Server 2008 R2, are managed domain accounts that provide automatic password management but are limited to use on only one computer. Group Managed Service Accounts provides the same functionality but also extends their use to multiple computers.
You can create a Group Managed Service Account only if the Active Directory forest schema has been updated to Windows Server 2012 and the master root key for Active Directory has been deployed.
First, there is a dependency on the Key Distribution Service. You must first configure a KDS Root Key. In a production environment, you must wait 10 hours for replication to complete after creating the key, but in lab scenarios with single domain controllers, you can force it to take effect immediately
Add-KdsRootKey –EffectiveImmediately
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
After Replication of the root key has completed, you can log onto a Windows 2012 (or newer) domain controller and create the service account and specify which computers have access to the managed service account.
Import-Module ActiveDirectory New-ADServiceAccount -Name <AccountName> -Enable $true -DNSHostName <FQDN> New-ADGroup -Name <AccountNameGroup> -GroupCategory Security -GroupScope Global Add-ADGroupMember <AccountNameGroup> <Computer1Name>$,<Computer2Name>$ Set-ADServiceAccount -Identity <AccountName> -PrincipalsAllowedToRetrieveManagedPassword <AccountNameGroup>
After, the account is created and associated with the computers, Installing and configuration is the same as other Managed Service Accounts…