What is gMSA and sMSA?

gMSA (Group Managed Service Account)

• Group Managed Service Account (gMSA) is an account type introduced in Windows Server 2012. gMSAs provide automatically managed, highly secure accounts across multiple servers or services. gMSA securely manages these passwords through Active Directory and automatically renews them at specified intervals, by default every 30 days. [To create a GMSA account, you will need the Active Directory module of Server 2012 or later]

SMSA (Stand-Alone Managed Service Account)

• Stand-Alone Managed Service Account (SMSA) is a service account designed for use on a single server, introduced with Windows Server 2008 R2. SMSA is the predecessor of gMSA. Designed for a single server and does not require a domain. I will not cover the SMSA account in this article [because Windows Server 2008 support has ended]

How to Create - Configure gMSA?

#Query/Create KDS Root Key:
Get-KdsRootKey
#Add-KdsRootKey -EffectiveImmediately
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) [Activate root key Now]

#Create gMSA Account:
New-ADServiceAccount -Name IISgMSAAccount -DNSHostName guler.com -PrincipalsAllowedToRetrieveManagedPassword "IIS_Servers" [Can be added individually "iisServer1$,iisServer2$"]

#Activate/Query gMSA Account on Server:
Install-ADServiceAccount -Identity "IISgMSAAccount"
Test-ADServiceAccount -Identity IISgMSAAccount

#Use gMSA Account:
Enter the gMSA account in the format DOMAIN\MygMSAAccount$ The $ sign indicates that it is a service account.

#Password Management/General Query:
Set-ADServiceAccount -Identity "IISgMSAAccount" -PasswordChangeInterval 15
Get-ADServiceAccount -Identity "IISgMSAAccount" -Properties *

SMSA 🆚 GMSA

The choice to choose one over the other depends on the requirement of the application or service that will use these accounts. If the application is on a single server only, you can use an sMSA, but if the service needs to run on multiple servers, you should opt for gMSA, which provides this flexibility.

-farukguler