I routinely see organizations big and small still using “regular” Active Directory user accounts as service accounts. Typically, they have the password for those service accounts set to never expire or an alternate password policy that only requires the password is changed yearly. If your organization is managing service accounts like this you are only increasing the potential for exploitation when a nefarious actor gets inside your enterprise. It’s a matter of WHEN not if.
With the introduction of Windows Server 2012, Microsoft introduced Group Managed Service Accounts to address this specific situation. Group Managed Service accounts (gMSA) are an upgrade from the Managed Service accounts that were available in Windows Server 2008 in that gMSA can be used on multiple servers. There is no need to create a specific service account for each server although, your internal policies may dictate otherwise.
Why use gMSA?
- The Password is managed in Active Directory (AD) and is changed every 30 days by default.
- Because the password is managed by AD, no human will ever know the password.
- gMSA passwords are 240 bytes long so they are complex.
- gMSAs are not permitted to logon interactively.
How do I configure and use a gMSA?
The code below is everything you need to get started with gMSAs. Also, take a look at the video below for a more in-depth walk-through of the process.
Do yourself a favor… get rid of legacy service accounts. It’s one of those things you can do to incrementally harden your enterprise.