Using a Managed Service Account (MSA or gMSA) in ADManager Plus
A Managed Service Account (MSA) or group Manage Service Account (gMSA) is a more secure and scalable service account with the characteristics of a computer object. The passwords of MSAs/gMSAs are random and are automatically updated by the Windows OS. These accounts can be used to secure services running in a single server or a server cluster.
In addition to the traditional service accounts, a MSA/gMSA can also be provided in ADManager Plus to administer your AD network. This article will walk you through the benefits of MSAs/gMSAs and how to use them in ADManager Plus.
Benefits of using MSAs/gMSAs instead of traditional service accounts:
- Mitigate password attacks: MSAs/gMSAs passwords are 240-bytes long and are randomly generated. This can help reduce the password attack surface.
- Automated password management: MSA/gMSA passwords are changed every 30 days automatically and don't require any admin intervention.
- Server-cluster deployment: Secure services running across multiple servers by deploying MSAs/gMSAs.
How to use a MSA/gMSA in ADManager Plus?
A MSA/gMSA can only be used when ADManager Plus is run as a service and when a Domain Admin/user account credentials is not provided during domain configuration.
- Stop ADManager Plus.
- Open Windows Service Manager (Services.msc).
- Right-click on ManageEngine ADManager Plus and click Properties.
Navigate to the Logon tab and select This Account:.
Browse and locate the MSA/gMSA account that you would like to use and click OK.
Start ADManager Plus as a service.
The MSA/gMSA account must have sufficient permissions to carry out the desired tasks in ADManager Plus. Refer to this document to learn about the minimum permissions required by these accounts.
Limitations of using MSA/gMSA in ADManagerPlus
Using a MSA/gMSA account in ADManager Plus has a lot of advantages in terms of security, but it comes with a few limitations.
- Exchange and Skype for Business management tasks cannot be performed.
- GPOs cannot be force updated.
- Users and groups cannot be migrated.
- Resultant Set of Policy and GPO Modeling reports cannot be updated.
New to ADSelfService Plus?
Related Articles
Microsoft365 License Management using ADManager Plus
Microsoft 365 License Management using ADManager Plus The M365 licenses can be managed by the following methods, Using the License Management section under Microsoft 365 tab. Managing licenses using user creation/modification templates. Using the ...How to apply the service pack to update ADManager Plus
You can update ADManager Plus to a higher version by applying the appropriate service pack downloaded from this page. Note: If you have enabled High Availability, proceed with these steps after applying the service pack. Alternatively, if you have ...Integrate ADManager Plus with Jira Service Management to perform AD actions directly from the tickets raised
Integrating ADManager Plus, a comprehensive Active Directory management solution with Jira Service Management, helps streamline and resolve identity management request tickets across multiple applications. For instance, upon ticket creation, ...How to install ADManager Plus in AWS
Steps to install ADManager Plus in Amazon Web Services EC2 instance: Logon to your Amazon Web Services (AWS) account. Select the configured EC2 instance and click the connect button. Connect to your Windows instance using: RDP client by downloading ...How to install and uninstall ADManager Plus as a Windows service
Objective: To install or uninstall ADManager Plus as a service. Once you have installed ADManager Plus, follow the steps provided below to install it as a service: Go to your machine's Start menu > All Programs Select ADManager Plus folder. Click ...