A standalone Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrator, can be used for services running on multiple servers such as a server farm. ADFS, IIS and systems behind a Network Load Balance.
As I stated at the beginning, the main benefit from an identity perspective is that there is no password to manage for this account. The gMSA is configured on the servers and Windows handles the password management of the account.
This makes the solution easier to manage since there is no user interaction required to cycle the password on a regular basis. This would normally involve changing the password in Active Directory and then updating the individual services with the new password to ensure continuation of services, thus, eliminates service accounts with static passwords that are set upon creation, and then never cycled again, which is very normal in most of my customers.
Also, another thing very important about gMSA accounts, is that cannot be used to log on to any computers in the domain. This ensure the service account is only used for it’s intended purpose of running a service.
one thing to also to keep in mind is that service in olny available from W2012R2, so if your forest is running under W2008R2, forget it and upgrade your forest 🙂
If you want to go ahead and configure your gMSA account, you con do it by executing the following PowerShell:
New-ADServiceAccount AccountgMSA -DNSHostName AccountgMSA.fqdn -PrincipalsAllowedToRetrieveManagedPassword nameoftheServerstoretrievethegmsaaccount$ -KerberosEncryptionType RC4, AES128, AES256
the $ it is not a typpo, it is necessary to include the servers name. If you execute the script and you receive and error like the following:
You will need to create a key first, you can do it with the following command:
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));
Once we have executed the previous command, we can execute the other one to create the account, which will appear in Users&Computers: