Delegated Managed Service Accounts

"A delegated Managed Service Account (dMSA)—introduced in Windows Server 2025—is a special AD account used to run services securely on a single, specified server. Its password is fully randomized and automatically rotated by AD, and authentication is strongly tied to the machine’s identity via Credential Guard. It can replace existing service accounts without requiring application changes: the original account gets disabled while the dMSA takes over, reducing credential-harvesting risks (e.g., kerberoasting) and improving security."

Same as we did with gMSA accounts, we will create these using PowerShell.

New-ADServiceAccount -Name "dMSA_ADCS_prod" -DNSHostname "ca.boxcreator.htb" -CreateDelegatedServiceAccount -PrincipalsAllowedToRetrieveManagedPassword "WS01$" -path "OU=Restricted Administratorss,DC=boxcreator,DC=htb"

In this case, the principal allowed to retrieve the managed password is WS01$ .

Written by ruycr4ft