Securing Managed Service Accounts (gMSA) in Active Directory

Securing Managed Service Accounts (gMSA) in Active Directory

04/08/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and securing Group Managed Service Accounts (gMSA) in Active Directory. gMSAs offer a robust solution to service account security challenges by automating password management and simplifying administration [1].

Introduction

Traditional service accounts with static passwords pose a significant risk. gMSAs (Group Managed Service Accounts) extend the functionality of MSAs (Managed Service Accounts), allowing a single service account to be used by multiple servers, with Active Directory automatically managing password rotation and key distribution without manual intervention [2].

This practical guide will cover the prerequisites, creating and configuring gMSAs, how to associate them with services and scheduled tasks, and best practices for ensuring your service accounts are protected and managed efficiently.

Why are gMSAs crucial?

  • Automatic Password Management: Complex and long passwords are automatically generated and rotated every 30 days by Active Directory.
  • Deployment on Multiple Servers: A single gMSA can be used by multiple servers, simplifying administration in distributed environments.
  • Principle of Least Privilege: Facilitates the granting of minimum necessary permissions.
  • Improved Auditing: Simplifies auditing as service identities are clearly defined and traceable.

Prerequisites

  1. Domain Controllers (DCs) with Windows Server 2012 or higher.
  2. Domain Functional Level (DFL) of Windows Server 2012 or higher.
  3. Active Directory Module for Windows PowerShell.
  4. Domain Member Servers that will use gMSA.
  5. Security Group for Hosts: A security group in Active Directory that will contain the servers that will use gMSA.

Step by Step: Implementing and Securing gMSAs

1. Configuring the KDS Root Key Service

The KDS Root Key Service is required so that Active Directory can generate passwords for gMSAs. It needs to be configured once per forest [3].

  1. Open Windows PowerShell as Administrator on a Domain Controller.
  2. Check if the KDS Root Key Service is already configured: powershell Get-KdsRootKey
  3. If no key is returned, create a new KDS Root Key. For production, use Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) to enable replication. For immediate testing, use: powershell Add-KdsRootKey -EffectiveImmediately

2. Creating the Security Group for Hosts

This group will contain the servers that will be allowed to recover the gMSA password.

  1. Open Active Directory Users and Computers (dsa.msc).
  2. Create a new security group (e.g. gMSA_Hosts_ServicoX) with scope Global and type Security.
  3. Add the computers (servers) that will use gMSA to this group (ex: ServidorApp01$, ServidorApp02$).

3. Creating the gMSA

Now let's create the gMSA using PowerShell.

  1. Open Windows PowerShell as Administrator on a Domain Controller.
  2. Use the New-ADServiceAccount cmdlet: powershell New-ADServiceAccount -Name gMSA_ServicoX -DNSHostName gMSA_ServicoX.contoso.com -PrincipalsAllowedToRetrieveManagedPassword "gMSA_Hosts_ServicoX"
    • Explanation: The PrincipalsAllowedToRetrieveManagedPassword parameter specifies the security group that can retrieve the gMSA password. This group must contain the servers that will run the service.

4. Installing and Testing gMSA on Host Servers

On servers that will use gMSA, you need to install it and test its functionality.

  1. On each server member of the gMSA_Hosts_ServicoX group, open Windows PowerShell as Administrator.
  2. Install gMSA: powershell Install-ADServiceAccount -Identity gMSA_ServicoX
  3. Test that the gMSA is installed and functional: powershell Test-ADServiceAccount -Identity gMSA_ServicoX
    • Expected Result: The output should be True, indicating that gMSA is ready to be used on the server.

5. Associating the gMSA with a Service

  1. On the server where the service will beOnce executed, open the Services console (services.msc).
  2. Locate the service you want to configure.
  3. Right-click the service, select Properties.
  4. In the Log On tab, select This account.
  5. In the This account field, type the name of your gMSA followed by a $, for example: gMSA_ServicoX$.
  6. Leave the password fields blank. Active Directory will manage the password automatically.
  7. Click Apply and OK.
  8. Restart the service for the changes to take effect.

6. Using gMSA with Scheduled Tasks

  1. On the server, open Task Scheduler (taskschd.msc).
  2. Create a new task or edit an existing one.
  3. On the General tab, click Change User or Group....
  4. In the Enter the name of the object to be selected field, enter the name of your gMSA followed by a $, for example: gMSA_ServicoX$.
  5. Click Check Names and then OK.
  6. Leave the password fields blank.
  7. Configure the other scheduled task options and click OK.

Best Practices and Security Tips

  • Principle of Least Privilege: Grant gMSA only the permissions necessary to perform its function. Do not use gMSAs with domain administrator privileges.
  • Dedicated Security Groups: Use specific security groups for PrincipalsAllowedToRetrieveManagedPassword to control which servers can use gMSA.
  • Audit: Monitor the use of gMSAs through Active Directory security logs to detect any anomalous activity.
  • KDS Root Key Protection: Ensure Domain Controllers are secure, as the KDS Root Key is critical to the security of gMSAs.
  • Remove Old Service Accounts: Migrate services to gMSAs and disable or delete old service accounts that used static passwords.
  • Documentation: Keep a record of which gMSAs are in use, what services they run, and on which servers.

Conclusion

Group Managed Service Accounts (gMSA) are a vital component for improving your Active Directory security posture, especially in managing service identities. By automating password rotation, simplifying deployment in distributed environments, and facilitating the application of the principle of least privilege, gMSAs significantly reduce the attack surface and administrative complexity. Proper implementation and management of gMSAs are crucial steps to protecting your services and applications against cyber threats.

References

[1] Microsoft. (2023). Group Managed Service Accounts (gMSA) in Active Directory. [2] Microsoft. (2023). Overview of Managed Service Accounts. [3] Microsoft. (2023). Active Directory Key Distribution Service (KDS).