Group Managed Service Accounts

"Group Managed Service Accounts (gMSAs) are special Active Directory accounts used to run services and applications securely across multiple computers. They provide automatic password management, eliminating the need for manual password updates, and support access control through permissions. gMSAs are ideal for load-balanced or clustered services, like IIS or SQL Server, where the same account is needed on several servers. They enhance security by preventing password sharing and reducing the attack surface, while simplifying service account administration in large environments."

Creating them is easy to do if you know how to. In my opinion, it's easier to do it through powershell because that's the way I learnt when I started.

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount -Name 'gMSA_ADCS_prod' -DNSHostName 'ca.boxcreator.htb'
Set-ADServiceAccount -Identity 'gMSA_ADCS_prod' -PrincipalsAllowedToRetrieveManagedPassword 'Infrastructure Managers'

Here we are setting the gMSA account for the ADCS service, which will be installed later on. The principals allowed to retrieve its password are the members of Infrastructure Managers . This is basically the ReadGMSAPassword ACE.

Written by ruycr4ft