You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/service-accounts-group-managed.md
+9-10Lines changed: 9 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ ms.service: active-directory
7
7
ms.workload: identity
8
8
ms.subservice: fundamentals
9
9
ms.topic: conceptual
10
-
ms.date: 02/06/2023
10
+
ms.date: 02/09/2023
11
11
ms.author: jricketts
12
12
ms.reviewer: ajburnle
13
13
ms.custom: "it-pro, seodec18"
@@ -39,14 +39,14 @@ If a service doesn't support gMSAs, you can use a standalone managed service acc
39
39
40
40
If you can't use a gMSA or sMSA supported by your service, configure the service to run as a standard user account. Service and domain administrators are required to observe strong password management processes to help keep the account secure.
41
41
42
-
## Assess gSMA security posture
42
+
## Assess gMSA security posture
43
43
44
44
gMSAs are more secure than standard user accounts, which require ongoing password management. However, consider gMSA scope of access in relation to security posture. Potential security issues and mitigations for using gMSAs are shown in the following table:
45
45
46
46
| Security issue| Mitigation |
47
47
| - | - |
48
-
| gMSA is a member of privileged groups | <li>Review your group memberships. Create a PowerShell script to enumerate group memberships. Filter the resultant CSV file by gMSA file names.<li>Remove the gMSA from privileged groups.<li>Grant the gMSA rights and permissions it requires to run its service. See your service vendor.
49
-
| gMSA has read/write access to sensitive resources |<li>Audit access to sensitive resources.<li>Archive audit logs to a SIEM, such as Azure Log Analytics or Microsoft Sentinel, for analysis.<li>Remove unnecessary resource permissions if there's an unnecessary access level.|
48
+
| gMSA is a member of privileged groups | - Review your group memberships. Create a PowerShell script to enumerate group memberships. Filter the resultant CSV file by gMSA file names</br> - Remove the gMSA from privileged groups</br> - Grant the gMSA rights and permissions it requires to run its service. See your service vendor.
49
+
| gMSA has read/write access to sensitive resources |- Audit access to sensitive resources</br> - Archive audit logs to a SIEM, such as Azure Log Analytics or Microsoft Sentinel</br> - Remove unnecessary resource permissions if there's an unnecessary access level |
50
50
51
51
52
52
## Find gMSAs
@@ -110,16 +110,15 @@ To manage gMSAs, use the following Active Directory PowerShell cmdlets:
110
110
## Move to a gMSA
111
111
112
112
gMSAs are a secure service account type for on-premises. It's recommended you use gMSAs, if possible. In addition, consider moving your services to Azure and your service accounts to Azure Active Directory.
113
+
114
+
> [!NOTE]
115
+
> Before you configure your service to use the gMSA, see [Get started with group managed service accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)).
113
116
114
117
To move to a gMSA:
115
118
116
-
1. Ensure the [Key Distribution Service (KDS) root key](/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key) is deployed in the forest. This is a one-time operation.
117
-
2.[Create a new gMSA](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts).
119
+
1. Ensure the Key Distribution Service (KDS) root key is deployed in the forest. This is a one-time operation. See, [Create the Key Distribution Services KDS Root Key](/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key).
120
+
2. Create a new gMSA. See, [Getting Started with Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts).
118
121
3. Install the new gMSA on hosts that run the service.
119
-
120
-
> [!NOTE]
121
-
> Before configuring your service to use the gMSA, see [Get started with group managed service accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)).
122
-
123
122
4. Change your service identity to gMSA.
124
123
5. Specify a blank password.
125
124
6. Validate your service is working under the new gMSA identity.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments