You've loaded an old revision of the document! If you save it, you will create a new version with this data. Media Files{{tag>startpage it-security windows active-directory}} ====== Group Managed Service Accounts ====== ===== Security information ===== This tutorial only shows the general procedure. Depending on the company structure, an appropriate authorisation concept must be planned in advance. Important questions that should be clarified in advance: * How should authorisations be assigned (group authorisations, individual authorisations)? * How do we structure our gMSA accounts (per server, per service, etc.)? ===== Preparations ===== Create root key on the DC: <code powershell> Add-KdsRootKey -EffectiveImmediately </code> Then wait 10 hours to ensure that the replication is complete. ===== gMSA account ===== ==== Create ==== On the DC: <code powershell> New-ADServiceAccount -Name <ACCOUNTNAME> -DNSHostName <ACCOUNTNAME>.<DOMAIN>.<TLD> -PrincipalsAllowedToRetrieveManagedPassword <COMPUTERNAME>$ </code> ==== test ==== On the target system: <code powershell> Test-ADServiceAccount <ACCOUNTNAME> </code> If successful, the console reports ''True'' === For errors on the target system === The RSAT tools may need to be activated. Statement from Microsoft on this: > As of the Windows 10 October 2018 Update, RSAT is included as a collection of features on demand in Windows 10 itself. Instead of downloading an RSAT package, you can now simply navigate to Manage optional features under Settings and click Add feature to see the list of available RSAT tools. Select the desired RSAT tools and install them. To view the installation progress, click the Back button to view the status on the Manage Optional Features page. <sup>[[https://learn.microsoft.com/de-de/windows-server/remote/remote-server-administration-tools]]</sup> If the Powershell is still open, you can also start the installation with this command: <code powershell> Install-WindowsFeature -IncludeAllSubFeature RSAT </code> After the installation, a restart may be required and the ActiveDirectory module must be imported into PowerShell: <code powershell> import-module ActiveDirectory </code> ===== Authorisations ===== The authorisations can now be assigned as required. Either by assigning a security group in AD or as a local administrator on the target system. Authorisation concepts should only ever contain the authorisations that are really necessary. ===== Services ===== Services can now be started in this user context. To do this, simply open the service console and navigate to the properties of the service: * ''Log in'' Open tab * Select ''This account'' * ''<ACCOUNTNAME>'' from the domain * ''Password'' Empty fields * Confirm dialogue {{it-security:screenshot_2023-11-30_154322.png?600|}} ===== Task planning ===== To execute a task in the context of the gMSA account, this task must be customised using the command line <code dos> schtasks /Change /TN "<AUFGABENNAME>" /RU "<DOMAIN>.<TLD>\<ACCOUNTNAME>$" /RP "" </code> The account may need to be granted the right to log in as a batch processing task: {{it-security:screenshot_2023-11-30_154419.png?600|}} ---- Sources: * [[https://www.frankysweb.de/group-managed-service-accounts-gmsa-fuer-tasks-und-dienste/]]Please solve the following equation to prove you're human. 137 +12 = Please keep this field empty: SavePreviewCancel Edit summary Note: By editing this page you agree to license your content under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International