Identity Managed Service Accounts & Group Managed Service Accounts

Microsoft added Managed Service Accounts (MSAs) as a new feature with Windows Server 2008 R2 DFL which automatically manage and update the MSA password. The key limitation is that a MSA can only be linked to a single computer running Windows 7 or Windows Server 2008 R2 (or newer).

Windows Server 2012 DFL introduced a needed update to MSAs called group Managed Service Accounts (gMSAs) which enable gMSAs to be linked to any number of computers running Windows 8 or Windows Server 2012 (or newer). Once the DFL is raised to Windows Server 2012 or newer, the default AD Service Account creation optioncreates a new gMSA (using the AD PowerShell module cmdlet New-ADServiceAccount for example). Before creating a gMSA, the KDS Root key needs to be created (Add-KDSRootKey -EffectiveImmediately).

Get-ADServiceAccount -Filter * -Properties *