PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 11 min read

Group Managed Service Accounts (gMSA): How to Replace Service Account Passwords with Automatic Key Management

240-character
is the length of a gMSA password -- a randomly generated key that no human ever reads or knows. Standard service account passwords are typically 12-24 characters and are known to at least one admin. The gMSA key cannot be used for Pass-the-Hash or Kerberoasting attacks in the same way
30-day rotation
is the default gMSA password rotation interval, managed automatically by Active Directory. The new password is staged before the old one expires, so services experience no authentication interruption during rotation
Windows Server 2012 DC
is the minimum domain functional level required for gMSA. The KDS root key must be created on a Windows Server 2012 or later domain controller before any gMSA can be provisioned
Computer group authorization
controls which hosts can retrieve a gMSA password. Only machines in the authorized security group can use the account -- a compromised machine not in the group cannot retrieve the credential even with domain user access

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Service accounts with static passwords are one of the most reliable lateral movement paths in Active Directory environments. They accumulate over years, often have elevated permissions, and their passwords are stored in scripts, configuration files, and the memory of admins who set them up years ago. gMSA eliminates the entire class of 'service account password known to humans' by making the credential a domain-managed secret that rotates automatically and is never human-readable. The deployment involves one prerequisite (KDS root key) and then a straightforward creation and authorization process.

Create the KDS Root Key (One-Time Prerequisite)

The Key Distribution Service (KDS) root key must exist in the domain before any gMSA can be created. This is a one-time operation per domain.

Check if a KDS root key already exists:

Get-KdsRootKey
# Returns the key ID and creation time if one exists
# If empty output, no key exists yet

Create the KDS root key:

# For production (key becomes effective after 10-hour replication delay)
Add-KdsRootKey -EffectiveImmediately
# Note: 'EffectiveImmediately' actually means effective in 10 hours per AD replication rules
# For lab/test environments only (effective immediately, bypasses replication delay):
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

The key replicates to all DCs automatically. Wait for replication before creating gMSAs:

# Force AD replication if needed
repadmin /syncall /AdeP
# Then verify the key is available on all DCs
Get-KdsRootKey

The KDS root key is stored as a CN=Master Root Keys object under the Group Policy container. It does not need to be renewed -- one key per domain is sufficient for all gMSAs.

Create a gMSA and Authorize Hosts

Each gMSA is created for a specific purpose (one gMSA per service or application is recommended). The host authorization list controls which machines can retrieve the password.

Create a security group for authorized hosts:

New-ADGroup -Name 'gMSA-WebApp-Hosts' `
    -GroupScope Global `
    -GroupCategory Security `
    -Path 'OU=Service Account Groups,DC=domain,DC=com'
# Add authorized hosts to the group
Add-ADGroupMember -Identity 'gMSA-WebApp-Hosts' `
    -Members 'WEBSERVER01$', 'WEBSERVER02$', 'WEBSERVER03$'

Create the gMSA:

New-ADServiceAccount `
    -Name 'svc-webapp' `
    -DNSHostName 'svc-webapp.domain.com' `
    -PrincipalsAllowedToRetrieveManagedPassword 'gMSA-WebApp-Hosts' `
    -KerberosEncryptionType AES128,AES256 `
    -Path 'OU=Service Accounts,DC=domain,DC=com' `
    -Description 'gMSA for WebApp service on WEBSERVER01-03'

Install the gMSA on the authorized host:

# Run on WEBSERVER01 (must be a member of gMSA-WebApp-Hosts group)
# Reboot may be required for new group membership to take effect
Install-ADServiceAccount -Identity 'svc-webapp'
# Verify it works
Test-ADServiceAccount -Identity 'svc-webapp'
# Should return: True
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configure Windows Services and IIS Application Pools to Use gMSA

Windows service configuration:

# Set service to run as gMSA (note the trailing $ -- gMSA accounts always end with $)
Sc.exe config "MyServiceName" obj= "DOMAIN\svc-webapp$"
# Or via PowerShell
Set-Service -Name 'MyServiceName' -Credential ([System.Management.Automation.PSCredential]::new('DOMAIN\svc-webapp$', [System.Security.SecureString]::new()))
# Or via GUI: Services > Properties > Log On > This account: DOMAIN\svc-webapp$ (no password required)

Leave the password fields blank in the GUI -- gMSA accounts do not use a password field. The service account uses Kerberos to retrieve the password from AD.

IIS Application Pool configuration:

import-module WebAdministration
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.userName -Value 'DOMAIN\svc-webapp$'
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.password -Value ''
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.identityType -Value 3
# identityType 3 = SpecificUser

Restart the service/application pool after configuration:

Restart-Service 'MyServiceName'
# Or for IIS: iisreset /restart

Grant local permissions if needed:

# gMSA needs local permissions just like a standard service account
# For example, if the service needs 'Log on as a service' right:
# Computer Configuration > Windows Settings > Security Settings >
# Local Policies > User Rights Assignment > Log on as a service
# Add: DOMAIN\svc-webapp$

Migrating from Legacy Service Accounts to gMSA

Migration is the hard part. Legacy service accounts often have undocumented dependencies -- scheduled tasks, COM+ applications, custom application configs.

Discovery step -- find all uses of a legacy service account:

# Find scheduled tasks using the account
Get-ScheduledTask | Where-Object { $_.Principal.UserId -like '*svc-old-account*' }
# Find Windows services
Get-WmiObject Win32_Service | Where-Object { $_.StartName -like '*svc-old-account*' } | Select-Object Name, StartName, SystemName
# Find IIS app pools (run on each web server)
import-module WebAdministration
Get-WebConfiguration system.applicationHost/applicationPools/add | Where-Object { $_.processModel.userName -like '*svc-old-account*' }

Permission migration: The gMSA needs the same permissions as the legacy account:

# Get current permissions of old account on a specific path
(Get-Acl 'C:\AppData').Access | Where-Object { $_.IdentityReference -like '*svc-old-account*' }
# Grant same permissions to gMSA
$acl = Get-Acl 'C:\AppData'
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('DOMAIN\svc-webapp$', 'ReadAndExecute', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$acl.AddAccessRule($rule)
Set-Acl 'C:\AppData' $acl

SQL Server logins for service accounts:

-- Create login for gMSA in SQL Server
CREATE LOGIN [DOMAIN\svc-webapp$] FROM WINDOWS;
ALTER SERVER ROLE sysadmin ADD MEMBER [DOMAIN\svc-webapp$];
-- Or grant specific database permissions
USE MyDatabase;
CREATE USER [DOMAIN\svc-webapp$] FOR LOGIN [DOMAIN\svc-webapp$];

The bottom line

gMSA is the correct long-term answer for every Windows service account. The deployment is straightforward once the KDS root key exists. The hard work is discovery: identifying every place a legacy service account is used before you can migrate. Start with a discovery sweep, create the gMSA, test on one instance, validate with Test-ADServiceAccount, then migrate services one at a time. The payoff is a service account whose password no human knows, no credential can be stuffed or sprayed, and no admin needs to action at rotation time.

Frequently asked questions

Can gMSA accounts be Kerberoasted?

Technically yes, but practically no. Kerberoasting works by requesting a Kerberos service ticket and then brute-forcing the service account's password offline. The service ticket is encrypted with the account's password hash. For a standard service account with a 12-character password, this is feasible. For a gMSA with a 240-character random password, the offline brute force is computationally infeasible with current hardware. The Kerberoasting attack returns a hash, but cracking a 240-character random key is not realistic.

What is the difference between gMSA and standalone MSA (sMSA)?

A standalone Managed Service Account (sMSA, introduced in Windows Server 2008 R2) is the single-host predecessor to gMSA. An sMSA is tied to exactly one computer and cannot be shared across multiple servers. A gMSA (Group Managed Service Account, introduced in Windows Server 2012) can be used by multiple authorized hosts simultaneously, making it suitable for clusters, web farms, and distributed services. sMSA is essentially obsolete -- use gMSA for all new deployments.

Do gMSA accounts work with non-Windows applications?

gMSA accounts require Windows hosts that can use the Key Distribution Service API to retrieve the password. Non-Windows applications (Linux daemons, containers, SaaS connectors) cannot use gMSA natively. For cross-platform scenarios, consider a secrets manager (HashiCorp Vault, Azure Key Vault, AWS Secrets Manager) with automatic rotation instead. For Windows-to-Windows scenarios, gMSA is always the right choice over manually managed service accounts.

What happens to gMSA-dependent services during the 30-day password rotation?

Nothing, by design. Active Directory stages the new password before the old one expires -- both passwords are valid during the overlap window. Windows services retrieve the current password from AD at service start and periodically refresh it. The rotation is transparent to the running service. You will only see disruption if: the host cannot reach a domain controller during the overlap window, the host is not in the authorized group, or the KDS root key has been deleted (do not delete the KDS root key).

How do I audit which gMSA accounts exist and what they have access to?

Query AD for all gMSA objects: Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword, ServicePrincipalNames, Description. Review the PrincipalsAllowedToRetrieveManagedPassword attribute to confirm only the intended hosts are authorized. For access auditing, gMSA accounts should follow the same least privilege principles as standard accounts -- enumerate their group memberships, file system permissions, and SQL logins using the same tooling you use for standard accounts.

Can gMSA accounts be used for services that run across multiple servers, such as IIS farms?

Yes, this is one of the primary use cases for gMSA. Multiple servers can be authorized to retrieve the same gMSA's password by adding all authorized servers (or a group containing them) to the PrincipalsAllowedToRetrieveManagedPassword attribute. All servers retrieve the same managed password from the KDS root key and use the same service account identity, enabling applications that require a consistent service identity across a farm (IIS application pools, SQL Server service accounts, network services that must authenticate with Kerberos). Each server in the farm gets the same gMSA identity, so Kerberos tickets for the service are valid from any server. For load-balanced services, configure the Service Principal Names (SPNs) on the gMSA account for both the load balancer's DNS name and the individual server names if services need to be reachable by server-specific names.

Sources & references

  1. Microsoft: Group Managed Service Accounts overview
  2. Microsoft: Getting started with Group Managed Service Accounts
  3. Microsoft: Key Distribution Services

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.