This post handles the justification and design for a gMSA. It is also an appeal to Microsoft to increase the number of their services that support gMSAs. (specifically SharePoint. If you are looking for a quick step by step how to use a gMSA, please click here.
What is a gMSA?
We have all noticed that Active Directory automatically synchronizes a password between AD and a Computer. The default is 30 days.
A Managed Service Account that uses the same system for synchronizing the password of a Service Account.
Why use a gMSA?
It rolls the passwords for the service account automatically, thus ensuring that security standards are met.
How does a gMSA work?
A gmsa is both a user account and a computer account.This enables it to use the same mechanism for rolling passwords as a computer account.Rolling is done according to a 30 day schedule and can be set in the registry, it is not based on the usual domain group policy.
The password is generated by the Key Distribution Service.
The password is generated by the Key Distribution Service.
What should Microsoft do?
At present, for Exchange Server we have to roll the passwords manually. This is because of a depedency on Windows Cluster Services.
SharePoint has its own "Managed Accounts" where it rolls the password.One can schedule how often the password is rolled, there are also options to make sure it is rolled before password policies are enforced and to have an email notification before a password change.
References:
https://community.spiceworks.com/topic/151704-how-often-should-i-change-passwords-for-servers-firewalls-etc
https://www.stigviewer.com/stig/windows_2008_member_server/2018-03-07/finding/V-14271
https://itconnect.uw.edu/wares/msinf/ous/guide/gmsa/
