question

GOne-3896 avatar image
0 Votes"
GOne-3896 asked ·

Windows Service account functionalities

Hello,

Couple of questions related with service accounts.

Q1: Can traditional service account (standard user account in Active Directory) be used in multiple computers where same/different services are deployed?

Q2: Can Group Managed service accounts be used for the service running on different servers which are not part of any cluster or server farm?

Please answer specifically to above mentioned questions with reference articles.

windows-serverwindows-active-directorywindows-server-2016windows-server-infrastructure
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Fabian-7704 avatar image
0 Votes"
Fabian-7704 answered ·

Q1: Yes, it is a usual case e.g. Login to PC and to RDS or VDI at the same time. I think there is no article that commits exactly this case.
What is your concern?
Perhaps the better question is: Why would you do that?

Q2: Yes, this ist the advantage of gMSA over MSA. Add both computer to the PrincipalsAllowedToRetrieveManagedPassword property.

https://docs.microsoft.com/en-us/services-hub/health/kb-running-assessments-with-msas

Standalone Managed Service Accounts (also known as Virtual Accounts) can only be authorized to authenticate on a single domain joined computer.
Group Managed Service Accounts can be authorized to authenticate on several domain computers.

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts

· 7 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply.

Q1: If traditional service account (standard user account in Active Directory) can be used in multiple computers then how is this different from gMSA because gMSA is also used for multiple computers?

Q2: As you said, please explain with examples why would someone use traditional service account in multiple computers where same/different services are deployed?

Q3: As per Microsoft article, it says gMSA can be used for same service which are deployed on multiple cluster notes OR service which is hosted on server farm.
So does it mean that gMSA can not be used for different services hosted on different servers which does not belong to any server farm or cluster? So do I have to use traditional service account (user account in AD) for same/different services which are hosted on different servers which are not part of cluster or server farm?

Kindly explain and provide clarity on above mentioned questions.

0 Votes 0 · ·

Hi,@GOne-3896
Thank you for your update, because your question is a bit complicated and difficult, I may need some time to study, and I will give you the answer next week. Thank you for your understanding and support.
Best wishes
Vicky

0 Votes 0 · ·

Q1: As you can see in the first link, the gMSA differs from a classic user in the following:

  • Automatic password management, simplified service principal name (SPN) management

  • Cannot be used to interactively log into Windows

  • Easily control which computers are authorized authenticate MSAs and run code in their context

Q2: You should always prefer gMSA and personally I prefer different gMSA for each service on each computer to avoid dependencies. If the same identity is required, for example for a web server farm as described in the first link, you must use the same gMSA on different computers. But again there is no limitation, use as many gMSA as you can, so that each gMSA holds as least privileges as required. If a application do not support gMSA e.g. because interactive logon, a password input, run on a non windows or run on a non domain joined device is required, than you must use a legacy service account (aka normal user account).

Q3: Explained in Q2




1 Vote 1 · ·

Thanks for the reply.

Problem scenario:

I have legacy service account (aka normal user account) which is being used in multiple computers by Identity Management tool for automatic provisioning of user account management and group management in Active Directory. Problem is if that account is locked out because of old password, automation task is failed and I have to manually provision the request and then update the latest password in source server which is causing account lockout.

Question:

According to above mentioned scenario, I just want to confirm is this feasible to deploy gMSA for each server where the same service is running under that legacy service account in order to avoid failure of automatic provisioning?

OR

Is there any alternative or better solution for the above described problem?

Please answer, explain and suggest the best solution.

0 Votes 0 · ·
Show more comments