MSA (Managed Service Account) and its younger brother gMSA

On Wojcieh.net blog I found really nice tutorial how to create application user in Active Directory. So I’d like to write few words about alternative way to create application users, by using MSA or with Windows Server 2012 gMSA.

What is MSA ?

With Windows Server 2008 R2 Microsoft introduced “Managed Service Accounts” – to simplify account management for accounts, that used by applications on a different servers. In the old times, administrators were creating standard domain users, add this users to local administrators group on the remote computers, assign the “Logon as a service” right and for most of the time set the password to never expire. Moreover if one wanted to be more secure, the “Deny log on locally” right should also be modified. With MSA this was simplified and MSA offers automatic password management (passwords are updated automatically every 30 days) and simplified SPN management which can be delegated to other administrators. Continue reading