Understanding the Differences Between MSAs and gMSAs

Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs) serve different purposes. Find out why they were created and when you'd use a gMSA instead of an MSA.

Jan De Clercq

July 18, 2013

2 Min Read
Understanding the Differences Between MSAs and gMSAs

Q: What's the difference between a Managed Service Account (MSA) and a group Managed Service Account (gMSA)?

A: An MSA is a special type of domain account that Microsoft supports in Windows Server 2008 R2 Active Directory (AD) and later. It overcomes the password management problems that administrators encounter when they set up a custom domain account for authenticating a service. Administrators typically prefer to define custom accounts because these accounts allow them to better isolate the privileges of an application, which isn't the case when one of the built-in high-privilege local accounts (e.g., Local System, Local Service, Network Service) is used as the service account. But unlike the built-in high-privilege local accounts, custom accounts don't have automatic password management. Therefore, when you use custom accounts, you need to manually manage their passwords or create a custom solution for managing them.

Related: Simplifying Services with Managed Service Accounts

MSAs resolve this problem by providing automatic password management. They also simplify the setup of Service Principal Names (SPNs) for a service. However, you can't use MSAs to share a single service account and password for clustered services in a failover clusteror for load-balanced services in a web farm. In these scenarios, you need to manually keep the passwords of the different service instances in sync or implement a custom solution for automatic password synchronization.

Windows Server 2012 gMSAs resolve this problem for load-balanced services in a web farm. Unfortunately, they don't work yet (at the time of writing) for clustered services in a failover cluster.

Behind gMSAs is the new Microsoft Key Distribution Service that runs on every Server 2012 domain controller (DC). It ensures that the password of the single service account that's used by different service instances in a web farm is kept in sync between those different instances. To use gMSAs, your AD schema must be updated to Server 2012 and one or more Server 2012 DCs need to be running the Microsoft Key Distribution Service. This service is automatically installed on every DC, but it must be manually started by default. Note that gMSAs can be used only by services that run on Server 2012. You can create and administer gMSAs using a set of Windows PowerShell cmdlets. For more information on gMSAs, I recommend that you read "Getting Started with Group Managed Service Accounts."

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like