This topic shows you how to create a group Managed Service Account (gMSA) in Managed Service for Microsoft Active Directory. You should follow these standard instructions for setting up the account and incorporate the following special considerations for Managed Microsoft AD.
Do not create KDS root key
Usually, the first time you create a gMSA in a domain, you need to generate a Key Distribution Service (KDS) root key. Managed Microsoft AD generates a KDS root key for you when you create the domain, so you can skip that step from the standard instructions.
Viewing the KDS root key
To view the KDS root key, complete the following steps.
Before you begin, be sure that the Active Directory Sites and Services tool is installed from Remote Server Administration Tools (RSAT)
- In Windows, launch the Active Directory Sites and Services tool. To launch
this tool, you can open the Run command dialog box, and then enter
- In the Active Directory Sites and Services tool, select the View tab.
- In the View menu, select Show Services Node.
- In the left pane, select Services > Group Key Distribution Service > Master Root Keys.
- The right pane shows a list of keys for your domain. Select a key to view its details.
Note that running the
Get-KdsRootKey PowerShell cmdlet returns an empty
response even though a valid KDS root key exists. You can only see the key when
you run the
Get-KdsRootKey cmdlet as the Domain Admin.
Create account under
Managed Service Accounts OU
For a Managed Microsoft AD domain, new gMSAs should be created
Managed Service Accounts organizational unit (OU). By default,
New-ADServiceAccount cmdlet creates new gMSAs in this location. Learn
Delegate administration of Managed Service Accounts
You can delegate the administration of Managed Service Accounts to a user by
adding them to
Cloud Service Managed Service Account Administrators group.
the groups that Managed Microsoft AD creates for you.