AD Group Managed Service Accounts

Windows 2012 introducted Group Managed Service Accounts (gMSA), it allows for stand-alone MSA accounts to be used across multiple computers.

gMSA can be used for schedule task, IIS application pools, Exchange and SQL 2012  which stand alone MSA were not able to do.

Create Root Key

gMSA use the Key Distribution  Service (KDS) to enable automatic password management across multiple devices. This requires the follow command to be run and 10 hours before it becomes effective (only has to be done once per forest). If you try to create the service account before the key becomes effective then you get a “Key does not exist” error.

Add-KDSRootKey -EffectiveImmediately

Create Security Group

It is best practice to create a security group and add the computers that will use the gMSA.

Create MSA

Once the security account has been done, the gMSA account can be created. This is done using the same camlet as a stand alone MSA

New-ADServiceAccount -Name ServiceAccount1 -DNSHostName -PrincipalsAllowedToDelegateToAccount “Servers”

Name = the name of the Managed Service account

DNSHostName = Host name of DC

PrincipalsAllowedToDelegateToAccount = Security group created above


Install gMSA

A gMSA is installed on the computer like MSA with the Install-ADServiceAccount <gMSA>

Install-ADServiceAccount ServiceAccount1

Test-ADServiceAccount ServiceAccount1

If the test returns $True then everything is ok.



Use gMSA in Scheduled Task

With creating a scheduled task using a gMSA we are unable to use the Task Scheduler UI, therefore it needs to be done in Powershell

$action = New-ScheduledTaskAction “c:\scripts\robocopy.bat”
$trigger = New-ScheduledTaskTrigger -At 23:00 -Daily
$principal = New-ScheduledTaskPrincipal -UserID child\myAdminAccount$ -LogonType Password

Register-ScheduledTask myAdminTask –Action $action –Trigger $trigger –Principal $principal



Leave a Reply