Find out about Managed Group Services Accounts in Windows Server 2012
Managed Service Accounts (MSA) - Managed Service Account - was introduced in Windows Server 2008 R2 to automatically manage (or change) the passwords of service accounts. Using MSA, you can significantly reduce the risk of the system account running the compromised services. The MSA has a major weakness that is only usable on a computer. It means that MSA service accounts cannot work with NLB service groups (operate simultaneously on multiple servers and use the same account and password). To fix this, Microsoft added Group Managed Service Accounts (gMSA) - a managed managed service account to Windows Server 2012.
To create a gMSA, follow the steps below
Step 1 - Create a KDS Root Key using the KDS service on DC to create a password.
To use the key immediately in the test environment, you can run the PowerShell command:
Add-KdsRootKey -EffectiveTime ((get-date) .addhours (-10))
To check if it successfully created, run the PowerShell command:
Get-KdsRootKey
Step 2 - To create and configure gMSA → Open Powershell terminal and type:
New - ADServiceAccount - name gmsa1 - DNSHostNamedc1.example.com - PrincipalsAllowedToRetrieveManagedPassword "gmsa1Group"
Inside,
- gmsa1 is the name of the created gMSA account.
- dc1.example.com is the DNS server name.
- gmsa1Group is an active directory group, including all used systems. This group must be pre-created in Groups .
To check, go to Server Manager → Tools → Active Directory Users and Computers → Managed Service Accounts .
Step 3 - To install gMA on the server → open PowerShell terminal and type the following commands:
-
Install - ADServiceAccount - Identity gmsa1
-
Test - ADServiceAccount gmsa1
The result will show " True " after running the second command, as shown in the screenshot given below:
Step 4 - Go to Service properties , specify that the service will be run with gMSA account. In the This account box in the Log on tab, enter the service account name. At the end of the name type the additional symbol $ , you may not need to enter the password. After the change is saved, restart the service.
The account will receive the message ' Log On as a Service ' and the password will be automatically retrieved.
See more:
- Instructions for installing Windows Server 2012 step by step
- 6 ways to access Control Panel on Windows Server 2012
- Instructions for setting F8 key to start Windows 8 in Safe Mode
You should read it
- How to create DC Accounts in Windows Server 2012
- Learn about firewalls, Windows Firewall on Windows Server 2012
- How to install software for clients from Windows Server 2012 R2 using Group Policy
- Deploy QoS on Windows Server 2012 (Part 1)
- How to install IIS in Windows Server 2012
- Instructions for creating a Domain Controller - DC on Windows Server 2012
- Learn about Windows Server 2012 (Part 3)
- Trick to start and shut down Windows Server 2012 computer in a blink of an eye
- Learn about Windows Server 2012 (Part 2)
- Learn Windows Server 2012 (The last part)
- 8 'tweak' Windows Group Policy any Admin should know
- Instructions for installing Windows Server 2012 step by step
Maybe you are interested
DeceptionAds Warning: New Malicious Ad Type Exploits Legitimate Services to Display Fake CAPTCHAs
pCloud - Trusted Cloud Storage Service
How to link music streaming services to Google Maps
Google Essentials Launches: An Easy Solution to Access Google Services on Windows
AWS will discontinue Cloud9, CodeCommit, CloudSearch, and several other services
Google launches a calling support service on many different devices