Support for group managed service accounts

Operations Manager 2019 UR1 and later supports group managed service accounts (gMSA). This article details the accounts used for gMSA, and the procedures involved with gMSA support.

Note

This article is applicable for Operations Manager 2019 UR1 and later. The article provides information on how to use gMSA in operations manager, does not include information on how to create these. For information on how to create gMSA accounts, see gMSA accounts.

Accounts used for gMSA

Currently, Operations Manager uses the following accounts and services :

  • Action Accounts
    • Default Action account-management server Action account
    • Agent Action account
    • GW Server Action account
    • Run as accounts
  • System Center Configuration Service and System Center Data Access Service (needs to be a part of local administrators group)
  • Data Reader account (for SSRS), must be a member of Operations Manager Report Security Administrators group.
  • Data Warehouse Write account (for DW), must be a member of Operations Manager Report Security Administrators group.
  • Agent Installation account
    • MSAA by default, needs admin rights on the target computers.

To leverage gMSA, administrators need to do the following:

Verify if managed service accounts can be used on the computer

Run the following PowerShell command for each gMSA account. If it returns True, then gMSA is ready to be used on the management server you selected.

Test-ADServiceAccount \<gMSA\_name\>

Next steps

To use gMSA, do the following:

Provide security rights

Change databases

Service level account changes

Console level changes