Support for group managed service accounts

Operations Manager 2019 UR1 supports group managed service accounts (gMSA). This article details the accounts used for gMSA, and the procedures involved with gMSA support.

Note

This article is applicable for System Center 2019 UR1 - Operations Manager. The article provides information on how to use gMSA in operations manager, does not include information on how to create these. For information on how to create gMSA accounts, see gMSA accounts.

Accounts used for gMSA

Currently, Operations Manager uses the following accounts and services :

  • Action Accounts
    • Default Action account-management server Action account
    • Agent Action account
    • GW Server Action account
    • Run as accounts
  • System Center Configuration Service and System Center Data Access Service (needs to be a part of local admin group)
  • Data Reader account (for SSRS)
  • Data Warehouse Write account (for DW)
  • Agent Installation account
    • MSAA by default, needs admin rights on the target computers.

To leverage gMSA, administrators need to do the following:

Verify if managed service accounts can be used on the computer

Run the following PowerShell command for each gMSA account. If it returns True, then gMSA is ready to be used on the management server you selected.

Test-ADServiceAccount \<gMSA\_name\>

Next steps

To use gMSA, do the following:

Provide security rights

Change databases

Service level account changes

Console level changes