There is a point to this story, but it has temporarily escaped my mind...
Contact Me MyFaceBook MyLinkedIn MyGitHub MyTwitter

Group Managed Service Accounts

Managed Service Accounts, which were introduced in Windows Server 2008 R2, are managed domain accounts that provide automatic password management but are limited to use on only one computer. Group Managed Service Accounts provides the same functionality but also extends their use to multiple computers.

You can create a Group Managed Service Account only if the Active Directory forest schema has been updated to Windows Server 2012 and the master root key for Active Directory has been deployed.

First, there is a dependency on the Key Distribution Service. You must first configure a KDS Root Key. In a production environment, you must wait 10 hours for replication to complete after creating the key, but in lab scenarios with single domain controllers, you can force it to take effect immediately

  • Production:
    Add-KdsRootKey –EffectiveImmediately
  • Lab:
    Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

After Replication of the root key has completed, you can log onto a Windows 2012 (or newer) domain controller and create the service account and specify which computers have access to the managed service account.

Import-Module ActiveDirectory
 
New-ADServiceAccount -Name <AccountName> -Enable $true -DNSHostName <FQDN>
 
New-ADGroup -Name <AccountNameGroup> -GroupCategory Security -GroupScope Global
Add-ADGroupMember <AccountNameGroup> <Computer1Name>$,<Computer2Name>$ 
 
Set-ADServiceAccount -Identity <AccountName> -PrincipalsAllowedToRetrieveManagedPassword <AccountNameGroup>

After, the account is created and associated with the computers, Installing and configuration is the same as other Managed Service Accounts

Copyright © 2015 by Julian Easterling. SOME RIGHTS RESERVED.

Creative Commons License
Except where otherwise noted, content on this site is
licensed under a Creative Common Attribution-Share Alike 4.0 International License.


All of the opinions expressed on this website are those of Julian Easterling and
do not represent the views of any of my current and previous clients or employers in any way.

If you notice an error on the site or content that has not been properly attributed, bring
it to my attention using the contact page and I will endeavor to fix it as soon as I can.

I accept no responsibility or liability for any damages incurred by following any of
my advice or by using any of the information on my site or of those sites that I link to.