Maroli ICT

Like said in my previous post for TSql Tuesday, I am a big fan of automating stuff to be become secure by default.

One of the measurements we have taken on my assignment is to implement Group Managed Service Accounts. But what are they? How can you use them and what are the benefits for SQL Server for example. In this post I will try to answer those questions.

Back in the time that Windows 2012 was introduced, they also introduced Managed Service Accounts. Those managed Service accounts could be created in a OU in Active Directory. Per server you should create an account. When you wanted to use those accounts on your system, you needed to add credential like thing to your windows environment you just needed to point to the account and the password.

But when you need to install lots of new boxes, you’d have to create a new account each time. The difference with normal service accounts is then that a Managed Service Account can change his password every xx days This was one of the only benefits a MSA had over a normal Service Account.

One of the missing things in that approach is that one cannot use the account for multiple instances. 

Microsoft experienced the same problems, probably in the cloud. Then they invented Group Managed Service Accounts (GMSA). In fact this is MSA 3.0 (yes, they skipped 2.0).

A GMSA is in fact the same account as a Managed Servce Account, it is only managed by a group. The group is a computergroup, not a group with user accounts. Members of this group are able to use a GMSA. So, where you normally would create a service account each time, you now need to add a computeraccount to the group. When this is done, you need to create a Credential on the server and then reboot your server. After restarting, you are able to install SQL using the Account. You do not need to fill in a password, since you do not know it and it does not make sence to know it. These steps can be done during an OSD (installation sequence of a server with or without SQL). 

The best part of a GMSA is that it is only one account. If you create appropriate scripts or policies, it is also possible to add things like Service Principle Name creation for Kerberos Authentication and so on.

What I like most on GMSA is the fact that, based on the domain policies, a GMSA will reset its password every 30 days and has a length of 128 random characters. No one knows the password!

GMSA’s can also be used for various other services on windows.

Next time I will setup GMSA on the domaincontroller.