Applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs)

Reading Time: 2 minutes

Recently, one of my readers approached me with some questions on Managed Service Accounts (MSAs). From our discussion, I realized a lot of people may be unclear about the applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs).

So, this blogpost features a comprehensive table, showing the applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs) in a glance.

In this table you can quickly see which Operating Systems you can run services, configured with Managed Service accounts (MSAs) and group Managed Service accounts (gMSAs):

Table showing the applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs), including Windows XP, Windows Vista, Windows 7, Windows 8, Windows Server 2003, Windows Server 2008 and Windows Server 2012

 

Managed Service Accounts (MSAs)

Managed Service Accounts (MSAs) were introduced with Active Directory Domain Services in Windows Server 2008 R2. Managed Service Accounts (MSAs) can be used to run services on domain-joined clients and servers, to address typical service account challenges:

  • Service account password changes are a nightmare and they tend to break stuff. Thus, many organizations configure service accounts with non-expiring passwords. Nonetheless, it is a best practice to change these passwords regularly, for these accounts have a high risk of getting their passwords brute-forced.
  • Passwords for service accounts are stored in plain text in registry. Sure, the passwords are protected, but still accessible if you know how.
  • The Scope of service accounts is not easily set. Service accounts can often be used outside the intended scope, for instance to set up VPN connections are send mail through the (authenticated) SMTP gateway.

Under the hood, Managed Service Accounts (MSAs) are a new type of object (msDS-ManagedServiceAccount), derived from the computer account object and living in the Managed Service Accounts container under the domain root.

Managed Service Accounts (MSAs) can be configured in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for both automatic password management and SPN management.

Group Managed Service Accounts (gMSAs)

Alongside the Managed Service Account (MSA), in Windows Server 2012, a new type of object is being introduced: the group Managed Service Account. (msDS-GroupManagedServiceAccount)

gMSAs provide the same functionality as MSAs within the domain but also extends that functionality over multiple servers. This way, gMSAs provide a single identity solution for services running on a server farm, or on systems behind Network Load Balance. By using gMSAs, services can be configured for the new gMSA object and the password management is handled by Windows.

group Managed Service Accounts (gMSAs) can be configured in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for automatic SPN management.

Further reading

Active Directory Feature Requirements
New features in AD DS in Windows Server 2012, Part 8: Group MSAs (gMSAs)

Posted on April 23, 2013 by Sander Berkouwer in Active Directory, Microsoft Windows Server 2008 R2, Microsoft Windows Server 2012

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.