Skip to content
Reference Library
gMSA

gMSA

Group Managed Service Account

Create a group managed account doing the following:

1. Verify or Create the KDS Root Key

The KDS root key is required for gMSAs to function. To check or create it:

  • Open PowerShell as a Domain Admin on a domain controller or a machine with AD PowerShell modules.
  • Run the following command to check if the KDS root key exists: powershell Get-KdsRootKey
  • If no key is returned, create one: powershell Add-KdsRootKey -EffectiveImmediately Note: If you want the key to be effective immediately for testing, use -EffectiveImmediately. In production, it’s recommended to allow replication (up to 10 hours) by omitting this parameter or setting a future effective time.

2. Create the gMSA

Create a basic gMSA for scheduled tasks etc: New-ADServiceAccount -Name “-DNSHostName "<Unique DNS name, eg gMSA-name.domain>" -PrincipalsAllowedToRetrieveManagedPassword “$"-Description "<desctiption of gMSA use>" -Path “<OU path to create gMSA in eg: OU=ServiceAccounts,DC=domain,DC=domain>”

Create a gMSA for the SQL Server service. This account will be used by both hosts.

  • Open PowerShell with AD module access.
  • Run the following command to create the gMSA: powershell
1
2
3
4
5
6

New-ADServiceAccount -Name "gMSA-SQLService" `
-DNSHostName "" `
-PrincipalsAllowedToRetrieveManagedPassword "", "" `
-ServicePrincipalNames "MSSQLSvc/.", "." `
-Description "gMSA for SQL Server" `
-Path "OU=ServiceAccounts,DC=domain,DC=domain"

3. Grant Permissions to Hosts

Ensure the computer accounts have permission use the gMSA. The -PrincipalsAllowedToRetrieveManagedPassword parameter in the previous step already configures this, but you can verify or modify it:

  • To check: powershell
1

Get-ADServiceAccount -Identity "gMSA-SQLService" -Properties PrincipalsAllowedToRetrieveManagedPassword
  • To add another host (if needed): powershell Set-ADServiceAccount -Identity “gMSA-SQLService” -PrincipalsAllowedToRetrieveManagedPassword @{Add=“serverhostname”}

4. Install the gMSA on the SQL Server Hosts

On each SQL Server host, install the gMSA so the system can retrieve its credentials.

  • Log in to the host as a local administrator.
  • Open PowerShell as Administrator.
  • Install the Active Directory PowerShell module (if not already installed):
1

Install-WindowsFeature RSAT-AD-PowerShell
  • Test and install the gMSA:
1

Install-ADServiceAccount -Identity "gMSA-SQLService" Test-ADServiceAccount -Identity "gMSA-SQLService"
  • If Test-ADServiceAccount returns True, the gMSA is successfully installed. If it fails, check:
    • The host is domain-joined.
    • The computer account is listed in -PrincipalsAllowedToRetrieveManagedPassword.
    • The KDS root key is replicated and effective.

5. Configure SQL Server to Use the gMSA

Configure the SQL Server service on both hosts to use the gMSA.

  • Open SQL Server Configuration Manager on each host.
  • Navigate to SQL Server Services.
  • Right-click the SQL Server service (e.g., SQL Server (MSSQLSERVER)) and select Properties.
  • In the Log On tab:
    • Select This account.
    • Enter the gMSA account in the format: domain\gMSA-SQLService$.
    • Leave the Password field blank (gMSAs manage passwords automatically).
  • Click Apply and OK.
  • Restart the SQL Server service to apply the changes: powershell Restart-Service -Name MSSQLSERVER Note: If SQL Server is running under a different instance name, adjust the service name (e.g., MSSQL$INSTANCENAME).
  • Repeat this process on all servers needing to use the service

Group Policy

For the gMSA to be used on the server for scheduled tasks or services it will need to be granted “logon as batch job” or “login as a service” rights in group policy

RDS