Create a group Managed Service Account

This topic shows you how to create a group Managed Service Account (gMSA) in Managed Service for Microsoft Active Directory. You should follow these standard instructions for setting up the account and incorporate the following special considerations for Managed Microsoft AD.

Do not create KDS root key

Usually, the first time you create a gMSA in a domain, you need to generate a Key Distribution Service (KDS) root key. Managed Microsoft AD generates a KDS root key for you when you create the domain, so you can skip that step from the standard instructions.

View the KDS root key

Before you begin, be sure that the Active Directory Sites and Services tool is installed from Remote Server Administration Tools (RSAT).

To view the KDS root key, complete the following steps:

  1. In Windows, launch the Active Directory Sites and Services tool. To launch this tool, you can open the Run command dialog box, and then enter dssite.msc.
  2. In the Active Directory Sites and Services tool, select the View tab.
  3. In the View menu, select Show Services Node.
  4. In the left pane, select Services > Group Key Distribution Service > Master Root Keys.
  5. The right pane shows a list of keys for your domain. Select a key to view its details.

Note that running the Get-KdsRootKey PowerShell cmdlet returns an empty response even though a valid KDS root key exists. You can only see the key when you run the Get-KdsRootKey cmdlet as the Domain Admin.

Create account under Managed Service Accounts container

For a Managed Microsoft AD domain, new gMSAs should be created under the Managed Service Accounts container. By default, the New-ADServiceAccount cmdlet creates new gMSAs in this location. For more information, see New-ADServiceAccountcmdlet.

Delegate administration of Managed Service Accounts

You can delegate the administration of the Managed Service Accounts container to a user by adding them to Cloud Service Managed Service Account Administrators group. For more information about the groups that Managed Microsoft AD creates for you, see Groups.