Group Managed Service Accounts Overview
Updated: October 17, 2012
Applies To: Windows Server 2012 R2, Windows Server 2012
This topic for the IT professional introduces the group Managed Service Account by describing practical applications, changes in Microsoft’s implementation, hardware and software requirements, plus additional resources for Windows Server 2012.
Did you mean…
Standalone Managed Service Accounts, which were introduced in Windows Server 2008 R2 and Windows 7, are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators.
The group Managed Service Account provides the same functionality within the domain but also extends that functionality over multiple servers. When connecting to a service hosted on a server farm, such as Network Load Balance, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. When group Managed Service Account are used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.
The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service is new to Windows Server 2012 and does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret which is used to create keys for the account. These keys are periodically changed. For a group Managed Service Account the Windows Server 2012 domain controller computes the password on the key provided by the Key Distribution Services in addition to other attributes of the group Managed Service Account. Windows Server 2012 and Windows 8 member hosts can obtain the current and preceding password values by contacting a Windows Server 2012 domain controller.
Group Managed Service Accounts provide a single identity solution for services running on a server farm, or on systems behind Network Load Balance. By providing a group MSA solution, services can be configured for the new group MSA principal and the password management is handled by Windows.
Using a group Managed Service Account, services or service administrators do not need to manage password synchronization between service instances. The group Managed Service Account supports hosts that are kept offline for an extended time period, and management of member hosts for all instances of a service. This means you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
Failover clusters do not support gMSAs. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.
The following table notes the changes to the MSA feature.
Windows Server 2008 R2
Windows Server 2012
Virtual Computer Accounts
Managed Service Accounts
Group Managed Service Accounts
Windows PowerShell cmdlets
For information about these changes in functionality for MSA, see What's New for Managed Service Accounts.
For Windows Server 2012, the Windows PowerShell cmdlets default to managing the group Managed Service Accounts instead of the original standalone Managed Service Accounts.
Managed Service Accounts (and Virtual Computer Accounts) apply to both Windows Server 2008 R2 and Windows Server 2012. Group Managed Service Accounts can only be configured and administered on computers running Windows Server 2012 but can be deployed as a single service identity solution in domains that still have some DCs running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements.
A 64-bit architecture is required to run the Windows PowerShell commands which are used to administer group Managed Service Accounts.
A managed service account is dependent upon Kerberos supported encryption types.When a client computer authenticates to a server using Kerberos the DC creates a Kerberos service ticket protected with encryption both the DC and server supports. The DC uses the account’s msDS-SupportedEncryptionTypes attribute to determine what encryption the server supports and, if there is no attribute, it assumes the client computer does not support stronger encryption types. If the Windows Server 2012 host is configured to not support RC4 then authentication will always fail. For this reason, AES should always be explicitly configured for MSAs.
Beginning with Windows Server 2008 R2, DES is disabled by default. For more information about supported encryption types, see Changes in Kerberos Authentication.
Group Managed Service Accounts are not applicable to Windows operating systems prior to Windows Server 2012.
There are no configuration steps necessary to implement MSA and group MSA using Server Manager or the Install-WindowsFeature cmdlet.
The following table provides links to additional resources related to Managed Service Accounts and group Managed Service Accounts.
Not yet available
Not yet available
Not yet available
Tools and settings