You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-for-identity/deploy/create-directory-service-account-gmsa.md
+12-18Lines changed: 12 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,12 +10,6 @@ ms.reviewer: rlitinsky
10
10
11
11
This article describes how to create a [group managed service account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) to use as a Microsoft Defender for Identity directory service account entry.
12
12
13
-
14
-
>[!NOTE]
15
-
> - In multi-forest or multi-domain environments, make sure the domain where you create the gMSA trusts the sensors’ computer accounts.
16
-
> - Create a universal group in each domain that includes all sensors computer accounts so that all sensors can retrieve the gMSAs' passwords, and perform the cross-domain authentications.
17
-
> - Give each gMSA a unique name for each forest or domain.
18
-
19
13
## Prerequisites
20
14
21
15
- Make sure you have permissions to create gMSAs and security groups in Active Directory.
@@ -34,25 +28,24 @@ This article describes how to create a [group managed service account (gMSA)](/w
34
28
35
29
-**Forest with multiple domains**: If you use a single Directory service account (DSA), we recommend creating a universal group and adding each of the domain controllers and AD FS or AD CS servers to the universal group.
36
30
31
+
- In multi-forest or multi-domain environments, make sure the domain where you create the gMSA trusts the sensors’ computer accounts.
32
+
33
+
- Create a universal group in each domain that includes all sensors computer accounts so that all sensors can retrieve the gMSAs' passwords, and perform the cross-domain authentications.
34
+
37
35
38
36
## Create the gMSA account
39
37
40
-
To prepare the gMSA account for use:
41
38
42
-
1. Create the gMSA account.
43
-
1. Create a group that can retrieve the account's password.
44
-
1. Test that the account is ready to use.
39
+
1. If you've never used a gMSA account before, you might need to generate a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory. This step is required only once per forest.
40
+
To generate a new root key for immediate use, run the following command:
45
41
46
-
>[!NOTE]
47
-
> If you've never used a gMSA account before, you might need to generate a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory. This step is required only once per forest.
48
-
>
49
-
> To generate a new root key for immediate use, run the following command:
50
-
> ```powershell
51
-
> Add-KdsRootKey -EffectiveImmediately
52
-
> ```
42
+
```powershell
43
+
Add-KdsRootKey -EffectiveImmediately
44
+
```
53
45
54
46
1. Update the following code with variable values for your environment.
55
-
1. Run the PowerShell commands as an administrator.
47
+
1. Give each gMSA a unique name for each forest or domain.
48
+
1. Run the PowerShell commands as an administrator. This script creates a gMSA account, a group that can retrieve the account password, and adds the specified computer accounts to that group.
## Refresh Kerberos tickets after changing group membership
86
80
87
81
The Kerberos ticket has a list of groups that an entity is a member of when the ticket is issued. If you add a computer account to the universal group after it already received a Kerberos ticket, it can't retrieve the gMSA's password until it gets a new ticket.
0 commit comments