Using a Managed Service Account (MSA or gMSA) in ADManager Plus
A Managed Service Account (MSA) or group Manage Service Account (gMSA) is a more secure and scalable service account with the characteristics of a computer object. The passwords of MSAs/gMSAs are random and are automatically updated by the Windows OS. These accounts can be used to secure services running in a single server or a server cluster.
In addition to the traditional service accounts, a MSA/gMSA can also be provided in ADManager Plus to administer your AD network. This article will walk you through the benefits of MSAs/gMSAs and how to use them in ADManager Plus.
Benefits of using MSAs/gMSAs instead of traditional service accounts:
- Mitigate password attacks: MSAs/gMSAs passwords are 240-bytes long and are randomly generated. This can help reduce the password attack surface.
- Automated password management: MSA/gMSA passwords are changed every 30 days automatically and don't require any admin intervention.
- Server-cluster deployment: Secure services running across multiple servers by deploying MSAs/gMSAs.
How to use a MSA/gMSA in ADManager Plus?
A MSA/gMSA can only be used when ADManager Plus is run as a service and when a Domain Admin/user account credentials is not provided during domain configuration.
- Stop ADManager Plus.
- Open Windows Service Manager (Services.msc).
- Right-click on ManageEngine ADManager Plus and click Properties.
Navigate to the Logon tab and select This Account:.
Browse and locate the MSA/gMSA account that you would like to use and click OK.
Start ADManager Plus as a service.
The MSA/gMSA account must have sufficient permissions to carry out the desired tasks in ADManager Plus. Refer to this document to learn about the minimum permissions required by these accounts.
Limitations of using MSA/gMSA in ADManagerPlus
Using a MSA/gMSA account in ADManager Plus has a lot of advantages in terms of security, but it comes with a few limitations.
- Exchange and Skype for Business management tasks cannot be performed.
- GPOs cannot be force updated.
- Users and groups cannot be migrated.
- Resultant Set of Policy and GPO Modeling reports cannot be updated.
New to ADSelfService Plus?
Related Articles
Microsoft365 License Management using ADManager Plus
Microsoft 365 License Management using ADManager Plus The M365 licenses can be managed by the following methods, Using the License Management section under Microsoft 365 tab. Managing licenses using user creation/modification templates. Using the ...Email server configuration failures using ADManager Plus
Issue description The mail server configuration in ADManager Plus is essential for enabling email-based notifications, alerts, and reports. It ensures that administrators and users receive timely updates about task completions, failures, approvals, ...How to run ADManager Plus as a Service?
To run ADManager Plus as a service, perform the following steps after downloading and installing ADManager Plus. Click Start > ADManager Plus > Install ADMP Service. When ADManager Plus is installed as a service, it runs with the privileges of the ...How to apply the service pack to update ADManager Plus
You can update ADManager Plus to a higher version by applying the appropriate service pack downloaded from this page. Note: It's recommended to take a server snapshot before proceeding with the steps below. This can be done by zipping the product ...ADManager Plus upgrade failure
Issue description Upgrade failure occurs when background processes from the ADManager Plus installation folder are still running. During an upgrade, if files within the installation directory are being accessed by other processes, the upgrade may ...