gMSA's
Heaton, Joseph@Wildlife
One of the newer guys wants to start converting our service accounts to group managed service accounts (gMSA). Something in the back of my head says this isn’t the greatest of ideas, but I can’t for the life of me validate that feeling. Anyone here have any reasons to NOT move toward gMSAs?
Thanks,
Joe Heaton
Managed Services and Operational Support Unit
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA 95811
Phone: 916-902-9116
Book time with Heaton, Joseph@Wildlife
Kurt Buff
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR09MB66865DDE1D3BA479E916F4E4AA9CA%40SJ0PR09MB6686.namprd09.prod.outlook.com.
Charles F Sullivan
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7yaa8zxW_2PmeigV%3Dbg9ynA26WtQisqB%3DvREML%2B5L5KA%40mail.gmail.com.
Charlie Sullivan
Principal Windows Systems Administrator
Michael Kurzdorfer
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkHgZ6z4RECLqCxCaPsB_JAc3TQdjC14hyMe7sTYNsdEw%40mail.gmail.com.
Free/HD Support
That worked as expected and securely.
Heaton, Joseph@Wildlife
So, what are the use cases? Most of my service accounts are used to run services on different machines. So, the password is set there, in Services. So, if the password is changed, I have to update it for the service to continue to work. I assume this is not a use case for gMSA’s?
From: 'Charles F Sullivan' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Tuesday, May 20, 2025 6:42 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] gMSA's
WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkHgZ6z4RECLqCxCaPsB_JAc3TQdjC14hyMe7sTYNsdEw%40mail.gmail.com.
Wright, John M
It looks like password are rotated automatically (caveat: I’ve not set up a gmsa before):
gMSA passwords are completely handled by Windows: They are randomly generated and automatically rotated. Moreover, the passwords do not have to be known by any user, since the service accounts themselves are ‘installed’ on the server that is to query the password information from Active Directory at run time. As a result, gMSAs are far less susceptible to misuse and compromise than user accounts being used as service accounts.
Abusing and Securing Group Managed Service Accounts
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
From: 'Heaton, Joseph@Wildlife' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Tuesday, May 20, 2025 4:41 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] gMSA's
|
EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity. |
Aakash Shah
In addition to Windows Services, gMSAs also support scheduled tasks.
-Aakash Shah
From: 'Heaton, Joseph@Wildlife' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Tuesday, May 20, 2025 1:41 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] gMSA's
So, what are the use cases? Most of my service accounts are used to run services on different machines. So, the password is set there, in Services. So, if the password is changed, I have to update it for the service to continue to work. I assume this is not a use case for gMSA’s?
Aakash Shah
Correct with a gMSA in a scheduled task or service, the password is updated automatically and no user interaction is needed when the password changes periodically on its own every ~1 month.
-Aakash Shah
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/DM4P221MB1568C0F1360AD1DF09D4D5A0F29EA%40DM4P221MB1568.NAMP221.PROD.OUTLOOK.COM.
Denes, Laszlo
Adding to thread re. 2025 DC
Do you run Domain Controllers on
Windows Server 2025? Then this is for you.
A new Active Directory privilege escalation vulnerability, BadSuccessor, has been discovered —
and it’s severe.
Let me be clear:
🔓 This flaw allows a
low-privileged user to gain highly privileged access — if certain permissions have been delegated.
This is not just about Full Control. It includes common delegations like “Create All Child Objects” on OUs — for example, when a department is allowed to manage its own OU structure.
In those cases, an attacker can create a Delegated Managed Service Account (DMSA) that can impersonate any AD account. From there, it's harvesting time.
🛠
No official patch is available — Microsoft acknowledged the issue but doesn’t plan to fix it (yet).
What can you do ?
✅ If you have
WS2025 DCs, Make sure you do not have any permissions like these mentioned
delegated.
✅
Akamai created a detection script that is ready to use:
BadSuccessor/Get-BadSuccessorOUPermissions.ps1
at main · akamai/BadSuccessor · GitHub
BadSuccessor:
Abusing dMSA to Escalate Privileges in Active Directory
Thank you in advance for your time.
Laszlo
Laszlo Denes
Technical Analyst Servers
Information Systems
t: ext. 214
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/DM4P221MB1568C0F1360AD1DF09D4D5A0F29EA%40DM4P221MB1568.NAMP221.PROD.OUTLOOK.COM.