Group Managed Service Accounts an Amazing Thing to Know

Lot of times we need to use service accounts for applications or Roles in the Windows Servers and configure it with static passwords.

In real world only few times change the password of the service accounts. However we must keep these passwords in a safe environment.

Does has someone hear for the gMSA(Group Manage Service Account)? 

To be honest  3 months ago was the first time that hear while study for the MCSA (Microsoft Certified Solution Architect) Exams.

I note that it will be the first things that i will start to use it after finish my Exams.

So i am here now to explain and inform you for those that they don't have hear it again of what is the gMSA.

But why to use gMSA(Group Manage Service Account)?

  • With gMSA(Group Manage Service Account) you don't need to manage password of your Service Accounts. 
  • You will secure your Service Accounts to be compromised. How? Find our a very usefull video by which explain how can be compromise a Service Account and get the passwords instead of a gMSA

So let's start !!!


Before start to use the gMSA you must read and verify that has the following requirements

  • Active Directory schema must be at least Windows Server 2012
  • Domain Controllers must be at least Windows Server 2012
  • x64 architecture in a Computer that will run the Powershell for Active Directory
  • KDS Root Key in Domain Controller to begin generate passwords for the gMSA

For more details for the Requirements you can visit the Getting Started with Group Managed Service Accounts from Microsoft Docs


How to Install the gMSA

After verify that fulfill all the requirements let's continue with the creation and installation of the gMSA(Group Manage Service Account.

Create the KDS Root Key

  • As per requirements the first step is to create the KDS Root Key

  • So let's open a Powershell as Administrator and run the following command.

  • Note that with this command must take place 10 hours until key generation of the Domain Controller before create the gMSA(Group Manage Service Account)
    Add-KdsRootKey -EffectiveImediately


  • If try to create the gMSA(Group Manage Service Account) you will get an error that the Key doesn't exist
  • If you want to use it immediately for your tests in your Lab you can run the following command that set the start time in the past 10 hours before
    Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))


Delete the KDS Root Key

Deletion of the KDS Root Key it's not recommended if you have start already use the gMSA because Servers has cache the password.

However If for any reason you want to delete the KDS Root key then you can

  • Open the Active Directory Sites and Services
  • Click in Active Directory Sites and Services [your Domain]
  • Click in View and Select Show Service Node
  • Expand the Group Key Distribution Service
  • Click on Master Root Key and find the Key in the right side
  • From a Powershell command run the Get-KdsRootkey and verify the Keyid
  • Right click in the Key and delete


Create the gMSA(Group Manage Service Account)

After we create the KDS Root Key we can proceed to create the gMSA.

  • From the Domain Controller open the Powershell as Administrator
  • Run the following command and change the Name and DNSHostname base on your requirements
  • Note that this are the minimum just to run the command and create the gMSA. 
    New-ADServiceAccount -Name "gsaccount" -DNSHostName ""


  • Now open the Active Directory Computer and Services
  • Expand the Manage Service Account and you will see the gMSA which create


Where and How can use the gMSA

When i start to working with gMSA my first thought after created was How can use it?

Let's do some examples

Let's say that you have 2 Servers with Veeam and Backup Replication and one WSUS Server which use IIS and you want to use the gMSA

  • First of al you must create a Group in the Active Directory which include the Computer Objects that will use the gMSA


  • Now run the following command to add members Hosts to gMSA 
    Set-ADServiceAccount -Identity "gsaccount" -PrincipalsAllowedToRetrieveManagedPassword "gMSA Members"


  • Login in your Server that you want to change the Service Account to gMSA
  • Open the Services
  • Select the Service and with right click --- Properties
  • Click in Tab Logon
  • Check the This account
  • Type the account of the gMSA as the following format:
  • Clean any password that maybe has from previous account and click Apply. 


  • It will ask to restart the Service until take effect.


  • Restart the Service to apply the gMSA
  • Follow the above steps for the other Servers that you want to use the gMSA. In my example i will do the same for the 2 Servers with the Veeam and i will change all the service accounts related with the Veeam with the gMSA which create before


gMSA can you help you to eliminate passwords of Service Accounts and the most important secure your Service Account to be compromised.

Have a nice weekend

I invite you to follow me on Twitter , Google+ or Facebook. If you have any questions, send email to me at