Managed Service Accounts (MSAs)

Managed Service Accounts (MSAs) were introduced with Active Directory Domain Services in Windows Server 2008 R2. Managed Service Accounts (MSAs) can be used to run services on domain-joined clients and servers, to address typical service account challenges:

  • Service account password changes causes administravite overhead to IT stuff. Organizations also configure service accounts with non-expiring passwords.
  • Service accounts can often be used outside the intended scope, for instance send mail through the (authenticated) SMTP gateway.

These account types have limitations:

– Computer account is limited to one domain server and the passwords are managed by the computer
– Managed Service Account is limited to one domain server and the passwords are managed by the computer.

Object: msDS-ManagedServiceAccount

Location in AD: Managed Service Accounts container

Managed Service Accounts (MSAs) can be configured in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for both automatic password management and SPN management.

Group Managed Service Accounts (gMSAs)

Windows Server 2012 includes the following changes:

– Introduces a new security principal type known as a gMSA
– Services running on multiple hosts can run under the same gMSA account
 – One or more Windows Server 2012 domain controllers required
           – gMSAs can authenticate against any domain controllers that run any version of Windows Server
           – Passwords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 domain controllers

 – Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS

          – Password retrieval limited to authorized computers

– Password-change interval defined at gMSA account creation (30 days by default)
– Like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools

Object: msDS-GroupManagedServiceAccount)


– Windows Server 2012 Active Directory schema updated in forests containing gMSAs
– One or more Windows Server 2012 domain controllers to provide password computation and retrieval
– Only services running on Windows Server 2012 can use gMSAs

The group Managed Service Account solves limitation problems because the account password is managed by Windows Server 2012 domain controllers and can be retrieved by multiple Windows Server 2012 systems. This minimizes the administrative overhead of a service account by allowing Windows to handle password management for these accounts.