Skip to content

Setting up a Group Managed Service Account (gMSA)

You can use a Group Managed Service Account (gMSA) in Reflection for Secure IT Windows Server. Passwords for Group Managed Service Accounts are managed by Windows. Reflection for Secure IT Windows Server will not store this password, it will retrieve it each time it is needed. Before you can use such an account, you will first have to create and configure the Group Managed Service Account in Active Directory.

Requirements:

  • Group Managed Service Accounts were introduced in Windows 2012, so your servers and the Active Directory schema have to be at least that version.

  • The Active Directory powershell commands require a 64-bits architecture.

  • Some of the commands below require elevation; some require domain administrator privileges.

  • For more information about hardware and software requirements, please refer to Active Directory documentation.

Setting up the Group Managed Service Account

Steps 1 though 4 can be run on any machine in the domain. Steps 5 and 6 should be performed on the server(s) where Reflection for Secure IT Windows Server runs.

  1. Creating a gMSA is done using powershell commands. Install them using the following command, on the machines where you want to use them:

    PS> Install-WindowsFeature RSAT-AD-PowerShell

  2. Create or retrieve a Key Distribution Services Root Key.

    The first time you work with Group Managed Service Accounts, check if you have a Key Distribution Services Root Key. You need one root key per forest. Do not create a second key if you already have one.

    To check if you have a key, use the following command:

    PS> Get-KdsRootKey

    Keys will not be listed unless you have sufficient permissions.

    To add a root key, use the following command:

    PS> Add-KdsRootKey

    Wait 10 hours for the key to be replicated.

  3. Specify a list of principals that are allowed to retrieve the managed password.

    A Group Managed Service Account needs a list of principals that are allowed to retrieve the managed password. In the use case of Reflection for Secure IT Windows Server, these principals are the machine accounts where Reflection for Secure IT Windows Server runs. You can either specify a list of those machine accounts, or you can create a group that contains the machine accounts, and specify just the group.

    Typically, a group is used; the only disadvantage of using a group is that you have to restart the machines to see membership changes.

    Example 1 Create a gMSA and allow a single machine to retrieve the password.

    To create a gMSA called "rsitgmsa" on "domain.com", and allow the password to be retrieved on one machine "rsitServer", use:

    PS> New-ADServiceAccount -Name "rsitgmsa" -DNSHostName rsitgmsa.domain.com -PrincipalsAllowedToRetrieveManagedPassword (Get-ADComputer "rsitServer").distinguishedName

    Example 2 Create a gMSA and allow a specified group of machines to retrieve the password.

    To create a gMSA called "rsitgmsa" on "domain.com", and allow the password to be retrieved on all machine accounts in "rsitServerGroup" that contains this machine, use:

    PS> New-ADGroup "rsitServerGroup"

    PS> Add-ADGroupMember "rsitServerGroup" (Get-ADComputer "rsitServer").distinguishedName

    PS> New-ADServiceAccount -Name "rsitgmsa" -DNSHostName rsitgmsa.domain.com -PrincipalsAllowedToRetrieveManagedPassword (Get-ADGroup "rsitServerGroup").distinguishedName

  4. To change the PrincipalsAllowedToRetrieveManagedPassword later, use the following command:

    PS> Set-adserviceaccount -Identity "rsitgmsa" -PrincipalsAllowedToRetrieveManagedPassword (new-value)

  5. After creating the Group Managed Service Account, log on to the server where Reflection for Secure IT Windows Server runs, and install the account on the server using the following command:

    PS> Install-ADServiceAccount "rsitgmsa"

  6. Test the account by logging on to the Reflection for Secure IT Windows Server console runs and use the following command:

    PS> Test-ADServiceAccount "rsitgmsa"

    Which should display "True".

Once a Group Managed Service Account has been created, you can configure the permissions (access control) of your network shares. While the Powershell commands refer to the gMSA name without a trailing dollar sign, in Windows File Explorer the name of the account must end with a dollar sign, for example "rsitgmsa$".

Note

The fileserver does not need permission to retrieve the gMSA password. Only the machines that run Reflection for Secure IT Windows Server needs this permission.