A group Managed Service Account (gMSA) is a managed domain account that you can assign to services on computer resources. You don’t have to manually update the password for these accounts in Active Directory the passwords for these accounts are automatically managed by Windows Server.
You can create and manage a gMSA from the DRA Web Console. A group managed service account can be used with multiple computers to run services. Computers using a gMSA request the current password from Active Directory to start services.
With the appropriate powers, you can perform various tasks related to group Managed Service Accounts. Execute a search operation to locate and select the required a gMSA object. After you select one or more objects in the list, the task bar becomes active with options to delete objects, add objects to groups, remove objects from groups, move objects from one container to another, and modify gMSA properties. You can also download search results as a CSV file. Click the options to display their functions.
When you create a gMSA, you must specify the host where this account is used and computers objects that can use the account. Computer objects defined in the membership policy can use the gMSA to run services. Alternatively, you can specify a security group that contains a list of computer objects.
To create a new gMSA, navigate to Management > Search, and select Group Managed Service Account in the Create drop-down menu.
You can modify gMSA properties. The powers you have determine which properties you can modify for a gMSA in the managed domain.
Enabling a gMSA allows you to use the gMSA as the login credentials for a computer service. You can enable or disable a gMSA from the Accounts tab.
You can add or remove group managed service accounts from a specific group in the managed domain or managed subtree.
A gMSA is created under the Managed Service Account container in Active Directory by default. You can move a group managed service account from the default container to another container, such as an OU, in the managed domain or managed subtree.
You can permanently delete a group managed service account from the managed domain or managed subtree.