Enterprise Security: How to configure and use Group Managed Service Accounts | Enterprise Security | - Practical PowerShell for Humans
I routinely see organizations big and small still using "regular" Active Directory user accounts as service accounts. Typically, they have the password for those service accounts set to never expire or an alternate password policy that only requires the password is changed yearly. If your organization is managing service accounts like this you are only increasing the potential for exploitation when a nefarious actor gets inside your enterprise. It's a matter of WHEN not if. With the introduction of Windows Server 2012, Microsoft introduced Group Managed Service Accounts to address this specific situation. Group Managed Service accounts (gMSA) are an upgrade from the Managed Service accounts that were available in Windows Server 2008 in that gMSA can be used on multiple servers. There is no need to create a specific service account for each server although, your internal policies may dictate otherwise. Why use gMSA? The Password is managed in Active Directory (AD) and is changed every