Stay organized with collections
Save and categorize content based on your preferences.
This topic shows you how to create a group Managed Service Account (gMSA) in
Managed Service for Microsoft Active Directory. You should follow
these standard instructions
for setting up the account and incorporate the following special considerations
for Managed Microsoft AD.
Do not create KDS root key
Usually, the first time you create a gMSA in a domain, you need to generate a
Key Distribution Service (KDS) root key. Managed Microsoft AD generates a KDS
root key for you when you create the domain, so you can skip that step from
the standard instructions.
To view the KDS root key, complete the following steps:
In Windows, launch the Active Directory Sites and Services tool. To launch
this tool, you can open the Run command dialog box, and then enter
dssite.msc.
In the Active Directory Sites and Services tool, select the View tab.
In the View menu, select Show Services Node.
In the left pane, select Services > Group Key Distribution Service > Master
Root Keys.
The right pane shows a list of keys for your domain. Select a key to view its
details.
Note that running the Get-KdsRootKey PowerShell cmdlet returns an empty
response even though a valid KDS root key exists. You can only see the key when
you run the Get-KdsRootKey cmdlet as the Domain Admin.
Create account under Managed Service Accounts container
For a Managed Microsoft AD domain, new gMSAs should be created
under the Managed Service Accounts container. By default,
the New-ADServiceAccount cmdlet creates new gMSAs in this location. For more information, see
New-ADServiceAccountcmdlet.
Delegate administration of Managed Service Accounts
You can delegate the administration of the Managed Service Accounts container to a user by
adding them to Cloud Service Managed Service Account Administrators group.
For more information about the groups that Managed Microsoft AD creates for you, see Groups.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Create a group Managed Service Account\n\nThis topic shows you how to create a group Managed Service Account (gMSA) in\nManaged Service for Microsoft Active Directory. You should follow\n[these standard instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts#create-a-group-managed-service-account)\nfor setting up the account and incorporate the following special considerations\nfor Managed Microsoft AD.\n\nDo not create KDS root key\n--------------------------\n\nUsually, the first time you create a gMSA in a domain, you need to generate a\nKey Distribution Service (KDS) root key. Managed Microsoft AD generates a KDS\nroot key for you when you create the domain, so you can skip that step from\n[the standard instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts#create-a-group-managed-service-account).\n\n### View the KDS root key\n\nBefore you begin, be sure that the Active Directory Sites and Services tool is\ninstalled from\n[Remote Server Administration Tools (RSAT)](https://support.microsoft.com/en-us/help/2693643/remote-server-administration-tools-rsat-for-windows-operating-systems).\n\nTo view the KDS root key, complete the following steps:\n\n1. In Windows, launch the Active Directory Sites and Services tool. To launch this tool, you can open the **Run** command dialog box, and then enter `dssite.msc`.\n2. In the **Active Directory Sites and Services** tool, select the **View** tab.\n3. In the **View** menu, select **Show Services Node**.\n4. In the left pane, select **Services \\\u003e Group Key Distribution Service \\\u003e Master\n Root Keys**.\n5. The right pane shows a list of keys for your domain. Select a key to view its details.\n\nNote that running the `Get-KdsRootKey` PowerShell cmdlet returns an empty\nresponse even though a valid KDS root key exists. You can only see the key when\nyou run the `Get-KdsRootKey` cmdlet as the Domain Admin.\n\nCreate account under `Managed Service Accounts` container\n---------------------------------------------------------\n\nFor a Managed Microsoft AD domain, new gMSAs should be created\nunder the `Managed Service Accounts` container. By default,\nthe `New-ADServiceAccount` cmdlet creates new gMSAs in this location. For more information, see\n[`New-ADServiceAccount`cmdlet](https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount?view=windowsserver2022-ps).\n\nDelegate administration of `Managed Service Accounts`\n-----------------------------------------------------\n\nYou can delegate the administration of the `Managed Service Accounts` container to a user by\nadding them to `Cloud Service Managed Service Account Administrators` group.\nFor more information about the groups that Managed Microsoft AD creates for you, see [Groups](/managed-microsoft-ad/docs/objects#groups)."]]
