Using a Managed Service Account (MSA or gMSA) in ADManager Plus

Using a Managed Service Account (MSA or gMSA) in ADManager Plus

A Managed Service Account (MSA) or group Manage Service Account (gMSA) is a more secure and scalable service account with the characteristics of a computer object. The passwords of MSAs/gMSAs are random and are automatically updated by the Windows OS. These accounts can be used to secure services running in a single server or a server cluster.

In addition to the traditional service accounts, a MSA/gMSA can also be provided in ADManager Plus to administer your AD network. This article will walk you through the benefits of MSAs/gMSAs and how to use them in ADManager Plus.

Benefits of using MSAs/gMSAs instead of traditional service accounts:
  1. Mitigate password attacks: MSAs/gMSAs passwords are 240-bytes long and are randomly generated. This can help reduce the password attack surface.
  2. Automated password management: MSA/gMSA passwords are changed every 30 days automatically and don't require any admin intervention.
  3. Server-cluster deployment: Secure services running across multiple servers by  deploying MSAs/gMSAs.

 

How to use a MSA/gMSA in ADManager Plus?

A MSA/gMSA can only be used when ADManager Plus is run as a service and when a Domain Admin/user account credentials is not provided during domain configuration.
  1. Stop ADManager Plus.
  2. Open Windows Service Manager (Services.msc).
  3. Right-click on ManageEngine ADManager Plus and click Properties.
  4. Navigate to the Logon tab and select This Account:.

  5. Browse and locate the MSA/gMSA account that you would like to use and click OK.

  6. Start ADManager Plus as a service.

 

The MSA/gMSA account must have sufficient permissions to carry out the desired tasks in ADManager Plus. Refer to this document to learn about the minimum permissions required by these accounts.


Limitations of using MSA/gMSA in ADManagerPlus 
Using a MSA/gMSA account in ADManager Plus has a lot of advantages in terms of security, but it comes with a few limitations.
  1. Exchange and Skype for Business management tasks cannot be performed.
  2. GPOs cannot be force updated.
  3. Users and groups cannot be migrated.
  4. Resultant Set of Policy and GPO Modeling reports cannot be updated.

                  New to ADSelfService Plus?