Group Managed Service Accounts

Managed Service Accounts, which were introduced in Windows Server 2008 R2, are managed domain accounts that provide automatic password management but are limited to use on only one computer. Group Managed Service Accounts provides the same functionality but also extends their use to multiple computers.

You can create a Group Managed Service Account only if the Active Directory forest schema has been updated to Windows Server 2012 and the master root key for Active Directory has been deployed.

First, there is a dependency on the Key Distribution Service. You must first configure a KDS Root Key. In a production environment, you must wait 10 hours for replication to complete after creating the key, but in lab scenarios with single domain controllers, you can force it to take effect immediately

Production:
```
Add-KdsRootKey –EffectiveImmediately
```

Lab:

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

After Replication of the root key has completed, you can log onto a Windows 2012 (or newer) domain controller and create the service account and specify which computers have access to the managed service account.

Import-Module ActiveDirectory
 
New-ADServiceAccount -Name <AccountName> -Enable $true -DNSHostName <FQDN>
 
New-ADGroup -Name <AccountNameGroup> -GroupCategory Security -GroupScope Global
Add-ADGroupMember <AccountNameGroup> <Computer1Name>$,<Computer2Name>$ 
 
Set-ADServiceAccount -Identity <AccountName> -PrincipalsAllowedToRetrieveManagedPassword <AccountNameGroup>

After, the account is created and associated with the computers, Installing and configuration is the same as other Managed Service Accounts…