Support
 
Phone Live Chat
 
Support
 
US: +1 888 720 9500
US: +1 800 443 6694
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9393

 
 
 
 
 
Knowledge Base
Active Directory Management » Knowledge Base

Using a Managed Service Account (MSA or gMSA) in ADManager Plus

A Managed Service Account (MSA) or group Manage Service Account (gMSA) is a more secure and scalable service account with the characteristics of a computer object. The passwords of MSAs/gMSAs are random and are automatically updated by the Windows OS. These accounts can be used to secure services running in a single server or a server cluster.

In addition to the traditional service accounts, a MSA/gMSA can also be provided in ADManager Plus to administer your AD network. This guide will walk you through the benefits of MSAs/gMSAs and how to use them in ADManager Plus.

Benefits of using MSAs/gMSAs instead of traditional service accounts

  • Mitigate password attacks: MSAs/gMSAs passwords are 240-bytes long and are randomly generated.This can help reduce the password attack surface.
  • Automated password management: MSA/gMSA passwords are changed every 30 days automatically and don't require any admin intervention.
  • Server-cluster deployment: Secure services running across multiple servers bydeploying MSAs/gMSAs.

How to use a MSA/gMSA in ADManager Plus?

A MSA/gMSA can only be used when ADManager Plus is run as a service and when a Domain Admin/user account credentials is not provided during domain configuration.

  1. Stop ADManager Plus.
  2. Open Windows Service Manager (Services.msc).
  3. Right-click on ManageEngine ADManager Plus and click Properties.
  4. Navigate to the Logon tab and select This Account:.
  5. Browse and locate the MSA/gMSA account that you would like to use and click OK.
  6. Start ADManager Plus as a service.

The MSA/gMSA account must have sufficient permissions to carry out the desired tasks in ADManager Plus. Refer to this document to learn about the minimum permissions required by these accounts.

Limitations of using MSA/gMSA in ADManagerPlus

Using a MSA/gMSA account in ADManager Plus has a lot of advantages in terms of security, but it comes with a few limitations.

  • Exchange and Skype for Business management tasks cannot be performed.
  • GPOs cannot be force updated.
  • Users and groups cannot be migrated.

Resultant Set of Policy and GPO Modeling reports cannot be updated.

 

Select a language to translate the contents of this web page:

Need further assistance?

Fill this form, and we'll contact you rightaway.

Request Support

  •  
  • *
     
  • *
     
  • *
     
  • By submitting you agree to processing of personal data according to the Privacy Policy.

"Thank you for submitting your request.

Our technical support team will get in touch with you at the earliest."

ADManager Plus Trusted By

The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link email-download-top