Professional Documents
Culture Documents
How To Create MSA and gMSA Accounts 1.1-1
How To Create MSA and gMSA Accounts 1.1-1
Table of Contents
Abstract................................................................................................................................................................ 3
Introduction ......................................................................................................................................................... 3
MSAs ..................................................................................................................................................................... 3
gMSAs ................................................................................................................................................................... 6
Steps to create a gMSA .......................................................................................................................................6
Introduction
MSAs are Active Directory accounts that are assigned to certain computers. The passwords for these accounts
are secure through length and complexity and are maintained automatically. By default, new passwords are
generated every 30 days. gMSA was first introduced in Windows Server 2012 and brings MSA functionality to
multiple servers in a domain. gMSA introduces additional flexibility to implement Network Load Balancing (NLB),
allowing grouping of servers to operating as one single system, accommodating for growth in highly utilized
services or servers.
• Create MSA beginning with Windows Server 2008 and use on Windows 7.
• Create gMSA beginning with Windows Server 2012 and use on Windows 8, 10, Windows Server 2012 (or
later).
• Note: Microsoft no longer supports and maintains Windows 7 and Windows Server 2008 operating
systems and FactoryTalk AssetCentre Server V11.0 is compatible beginning with Windows Server 2012.
For additional compatibility information, please visit the Rockwell Automation Product Compatibility and
Download Center.
MSAs
MSAs allow you to create an account in Active Directory that is tied to a specific computer. That account has its
own complex password which is maintained automatically. This means that an MSA can run services on a
computer in a secure and easy manner, while maintaining the capability to connect to network resources as a
specific user principal.
To create MSAs you must:
• Use Active Directory (AD) on a 64-bit Windows 2012 or later
• Extend your AD schema to Windows Server 2012 or later
• Host services using MSAs on Windows 8, Windows 10 and Windows Server 2012 or later
• Set AD forest level to Windows Server 2012 at a minimum.
To create and deploy an MSA, you need to use several PowerShell cmdlets (lightweight command used in
PowerShell)
1. Launch PowerShell from a domain controller computer.
The returned result “True” means the key is valid and effective.
4. Create an MSA with the cmdlet “New-ADServiceAccount”.
This example creates a new MSA with a name of msa002. The parameter “RestrictToSingleComputer” is
required, meaning it is used by a single computer only.
5. Once the MSA has been created, it needs to be installed on the computer where it will be used. Log into
the computer that will consume the MSA and launch PowerShell to install.
6. Once the MSA has been installed, verify whether it is working by using the cmdlet below:
In the above image, WIN12R2 is the domain name and msa002 is the MSA created in the steps above.
Important to append the MSA with “$”, which denotes the account as an MSA. Password field will remain
blank. Click OK or Apply, the following message will appear. You must either stop and restart the service
as stated or restart the computer.
• At least one domain controller must be running Windows Server 2012 or later (64-bit)
• Microsoft Active Directory must be present
• Extend the Active Directory schema to Windows Server 2012 (or later)
• Computers using gMSAs must be Windows 8, Windows 10, Windows Server 2012 or later.
• PowerShell must be available on each relevant computer.
The DNSHostName should be the full computer name of the domain controller. Use parameter
PrinciplasAllowedToRestrieveManagedPassword to specify group intended for use of the gMSA. Follow
the steps below to create a group.
a. On the domain controller computer, launch the Active Directory Users and Computers.
b. Right click Users from the left pane and select New -> Group.
c. Enter a group name and select a group scope.
d. Click OK to exit.
e. In the right pane double click PCGroup to open its properties dialog.
f. Select the Members and click the Add button.
h. Click Find Now and select Domain Computers from the list. Click OK until you return to the Active
Directory Users and Computers.
If the group is newly created, restart both the domain controller and the computers that will use the gMSA
account, otherwise, the next step will fail.
PC1 and PC2 are two computer names. Keep in mind to append each PC name with a $ and use a coma
to separate them. When using a group name, you do not need a $ at the end.
4. After the gMSA has been successfully created, you need to install it on the computers where it will be
used. Log into those domain computers and launch PowerShell to run the cmdlet below.
To verify the gMSA is installed successfully on a computer, run the following cmdlet.
5. Apply the gMSA to a service. Change the logon account to gmsa002 and leave the password fields blank.
DO NOT miss the $ at the end of gmsa002.
6. Click OK to save the settings and restart the service to make it effective.
• The Log On page for a service is greyed out after adopting a MSA or gMSA account, how to re-enable
it?
1. Launch the Command Prompt as Administrator.
2. Enter and run SC ManagedAccount “Service Name” false
The Service Name must be exactly same as shown in the service’s properties dialog.