Group Managed Service Accounts (gMSA): How to Replace Service Account Passwords with Automatic Key Management

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Service accounts with static passwords are one of the most reliable lateral movement paths in Active Directory environments. They accumulate over years, often have elevated permissions, and their passwords are stored in scripts, configuration files, and the memory of admins who set them up years ago. gMSA eliminates the entire class of 'service account password known to humans' by making the credential a domain-managed secret that rotates automatically and is never human-readable. The deployment involves one prerequisite (KDS root key) and then a straightforward creation and authorization process.
Create the KDS Root Key (One-Time Prerequisite)
The Key Distribution Service (KDS) root key must exist in the domain before any gMSA can be created. This is a one-time operation per domain.
Check if a KDS root key already exists:
Get-KdsRootKey
# Returns the key ID and creation time if one exists
# If empty output, no key exists yet
Create the KDS root key:
# For production (key becomes effective after 10-hour replication delay)
Add-KdsRootKey -EffectiveImmediately
# Note: 'EffectiveImmediately' actually means effective in 10 hours per AD replication rules
# For lab/test environments only (effective immediately, bypasses replication delay):
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))
The key replicates to all DCs automatically. Wait for replication before creating gMSAs:
# Force AD replication if needed
repadmin /syncall /AdeP
# Then verify the key is available on all DCs
Get-KdsRootKey
The KDS root key is stored as a CN=Master Root Keys object under the Group Policy container. It does not need to be renewed -- one key per domain is sufficient for all gMSAs.
Create a gMSA and Authorize Hosts
Each gMSA is created for a specific purpose (one gMSA per service or application is recommended). The host authorization list controls which machines can retrieve the password.
Create a security group for authorized hosts:
New-ADGroup -Name 'gMSA-WebApp-Hosts' `
-GroupScope Global `
-GroupCategory Security `
-Path 'OU=Service Account Groups,DC=domain,DC=com'
# Add authorized hosts to the group
Add-ADGroupMember -Identity 'gMSA-WebApp-Hosts' `
-Members 'WEBSERVER01$', 'WEBSERVER02$', 'WEBSERVER03$'
Create the gMSA:
New-ADServiceAccount `
-Name 'svc-webapp' `
-DNSHostName 'svc-webapp.domain.com' `
-PrincipalsAllowedToRetrieveManagedPassword 'gMSA-WebApp-Hosts' `
-KerberosEncryptionType AES128,AES256 `
-Path 'OU=Service Accounts,DC=domain,DC=com' `
-Description 'gMSA for WebApp service on WEBSERVER01-03'
Install the gMSA on the authorized host:
# Run on WEBSERVER01 (must be a member of gMSA-WebApp-Hosts group)
# Reboot may be required for new group membership to take effect
Install-ADServiceAccount -Identity 'svc-webapp'
# Verify it works
Test-ADServiceAccount -Identity 'svc-webapp'
# Should return: True
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Configure Windows Services and IIS Application Pools to Use gMSA
Windows service configuration:
# Set service to run as gMSA (note the trailing $ -- gMSA accounts always end with $)
Sc.exe config "MyServiceName" obj= "DOMAIN\svc-webapp$"
# Or via PowerShell
Set-Service -Name 'MyServiceName' -Credential ([System.Management.Automation.PSCredential]::new('DOMAIN\svc-webapp$', [System.Security.SecureString]::new()))
# Or via GUI: Services > Properties > Log On > This account: DOMAIN\svc-webapp$ (no password required)
Leave the password fields blank in the GUI -- gMSA accounts do not use a password field. The service account uses Kerberos to retrieve the password from AD.
IIS Application Pool configuration:
import-module WebAdministration
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.userName -Value 'DOMAIN\svc-webapp$'
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.password -Value ''
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.identityType -Value 3
# identityType 3 = SpecificUser
Restart the service/application pool after configuration:
Restart-Service 'MyServiceName'
# Or for IIS: iisreset /restart
Grant local permissions if needed:
# gMSA needs local permissions just like a standard service account
# For example, if the service needs 'Log on as a service' right:
# Computer Configuration > Windows Settings > Security Settings >
# Local Policies > User Rights Assignment > Log on as a service
# Add: DOMAIN\svc-webapp$
Migrating from Legacy Service Accounts to gMSA
Migration is the hard part. Legacy service accounts often have undocumented dependencies -- scheduled tasks, COM+ applications, custom application configs.
Discovery step -- find all uses of a legacy service account:
# Find scheduled tasks using the account
Get-ScheduledTask | Where-Object { $_.Principal.UserId -like '*svc-old-account*' }
# Find Windows services
Get-WmiObject Win32_Service | Where-Object { $_.StartName -like '*svc-old-account*' } | Select-Object Name, StartName, SystemName
# Find IIS app pools (run on each web server)
import-module WebAdministration
Get-WebConfiguration system.applicationHost/applicationPools/add | Where-Object { $_.processModel.userName -like '*svc-old-account*' }
Permission migration: The gMSA needs the same permissions as the legacy account:
# Get current permissions of old account on a specific path
(Get-Acl 'C:\AppData').Access | Where-Object { $_.IdentityReference -like '*svc-old-account*' }
# Grant same permissions to gMSA
$acl = Get-Acl 'C:\AppData'
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('DOMAIN\svc-webapp$', 'ReadAndExecute', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$acl.AddAccessRule($rule)
Set-Acl 'C:\AppData' $acl
SQL Server logins for service accounts:
-- Create login for gMSA in SQL Server
CREATE LOGIN [DOMAIN\svc-webapp$] FROM WINDOWS;
ALTER SERVER ROLE sysadmin ADD MEMBER [DOMAIN\svc-webapp$];
-- Or grant specific database permissions
USE MyDatabase;
CREATE USER [DOMAIN\svc-webapp$] FOR LOGIN [DOMAIN\svc-webapp$];
The bottom line
gMSA is the correct long-term answer for every Windows service account. The deployment is straightforward once the KDS root key exists. The hard work is discovery: identifying every place a legacy service account is used before you can migrate. Start with a discovery sweep, create the gMSA, test on one instance, validate with Test-ADServiceAccount, then migrate services one at a time. The payoff is a service account whose password no human knows, no credential can be stuffed or sprayed, and no admin needs to action at rotation time.
Frequently asked questions
Can gMSA accounts be Kerberoasted?
Technically yes, but practically no. Kerberoasting works by requesting a Kerberos service ticket and then brute-forcing the service account's password offline. The service ticket is encrypted with the account's password hash. For a standard service account with a 12-character password, this is feasible. For a gMSA with a 240-character random password, the offline brute force is computationally infeasible with current hardware. The Kerberoasting attack returns a hash, but cracking a 240-character random key is not realistic.
What is the difference between gMSA and standalone MSA (sMSA)?
A standalone Managed Service Account (sMSA, introduced in Windows Server 2008 R2) is the single-host predecessor to gMSA. An sMSA is tied to exactly one computer and cannot be shared across multiple servers. A gMSA (Group Managed Service Account, introduced in Windows Server 2012) can be used by multiple authorized hosts simultaneously, making it suitable for clusters, web farms, and distributed services. sMSA is essentially obsolete -- use gMSA for all new deployments.
Do gMSA accounts work with non-Windows applications?
gMSA accounts require Windows hosts that can use the Key Distribution Service API to retrieve the password. Non-Windows applications (Linux daemons, containers, SaaS connectors) cannot use gMSA natively. For cross-platform scenarios, consider a secrets manager (HashiCorp Vault, Azure Key Vault, AWS Secrets Manager) with automatic rotation instead. For Windows-to-Windows scenarios, gMSA is always the right choice over manually managed service accounts.
What happens to gMSA-dependent services during the 30-day password rotation?
Nothing, by design. Active Directory stages the new password before the old one expires -- both passwords are valid during the overlap window. Windows services retrieve the current password from AD at service start and periodically refresh it. The rotation is transparent to the running service. You will only see disruption if: the host cannot reach a domain controller during the overlap window, the host is not in the authorized group, or the KDS root key has been deleted (do not delete the KDS root key).
How do I audit which gMSA accounts exist and what they have access to?
Query AD for all gMSA objects: Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword, ServicePrincipalNames, Description. Review the PrincipalsAllowedToRetrieveManagedPassword attribute to confirm only the intended hosts are authorized. For access auditing, gMSA accounts should follow the same least privilege principles as standard accounts -- enumerate their group memberships, file system permissions, and SQL logins using the same tooling you use for standard accounts.
Can gMSA accounts be used for services that run across multiple servers, such as IIS farms?
Yes, this is one of the primary use cases for gMSA. Multiple servers can be authorized to retrieve the same gMSA's password by adding all authorized servers (or a group containing them) to the PrincipalsAllowedToRetrieveManagedPassword attribute. All servers retrieve the same managed password from the KDS root key and use the same service account identity, enabling applications that require a consistent service identity across a farm (IIS application pools, SQL Server service accounts, network services that must authenticate with Kerberos). Each server in the farm gets the same gMSA identity, so Kerberos tickets for the service are valid from any server. For load-balanced services, configure the Service Principal Names (SPNs) on the gMSA account for both the load balancer's DNS name and the individual server names if services need to be reachable by server-specific names.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
