I've talked with a few colleagues about what might be best practice for using group managed service accounts in our environment.
It seems that ideally, we would create 1 gMSA per service (e.g. SQL Agent service) per server (e.g. SQLDEV01).
This would allow for maximum separation of concerns such that if there is any issue with any service account (compromised, deleted, locked, corrupt, etc) that it would only affect the single service and single server that it is associated with.
One of the only cons to this approach is that there could be A LOT of gMSAs to create. But with that said, once they are created, there is not much need to manage them going forward.
The other issue I'm running into is naming the gMSA (I believe it must be 15 characters or less). It seems extremely difficult to come up with a name that denotes that the account is gMSA, is for a particular service, and for a particular server.
For example a generic name following typical conventions might look like:
- gMSA_SQLDEV01_SQLAGT (20 characters)
It could be shortened to something like:
- gmsaSQLDEV01AGT (15 characters)
The above example is exactly 15 characters with no room to spare for other potentially more lengthy server or service names.
Is there any best practice or ways to handle these situations:
- group managed service accounts with separation of concerns?
- group managed service accounts with long names?
The separation of concerns aspect is going to largely depend on your environment and weighing the hassle of separating things versus the simplicity of sharing accounts in certain scenarios. I mean one of the primary features of gMSAs over the original MSAs is that they can be used by more than one system.
Regarding long names...
You can easily free up some space by not giving it a prefix like
gmsa
. While it shares a lot of common classes in theobjectClass
attribute relating to normal user accounts, it also contains its own unique one calledmsDS-GroupManagedServiceAccount
which makes it easy to use in filters where you may want to include or exclude them. gMSAs are also visually distinct in GUI tools like ADUC and the like. So hypothetically, people won't confuse them with normal user accounts in day-to-day activities.I also noticed another thing while playing around with this. Even though the
New-ADServiceAccount
cmdlet does indeed enforce a 15 character limit for-SamAccountName
, creating anmsDS-GroupManagedServiceAccount
object manually with ADSIEdit only enforces a 20 character limit.I didn't get as far as actually testing my 20 char length gMSA with anything. So I have no clue if it actually works with anything. But it's probably worth further testing on your part if you want more breathing room in your naming convention.