I have many instances of an application installed on a bunch of application servers that consists on an IIS Site (.NET application), a Windows Service and an SQL Database hosted on separate SQL Servers (each instance has its own DB).
Each application instance has its own domain user used to run the App Pool and Windows Service with only the needed privileges to run on the right server and access its database. I am contemplating implementing Group Managed Service Accounts (gMSA) so these account's passwords do not need to be stored and kept anywhere and also they get automatically reset every so often without extra admin work or application downtime.
The concept sounds beautiful and based on everything I've read about it this looks like a perfect fit, but, I do not really understand what happens then the password is reset automatically by AD. From my understanding, every time a service or app pool or a Windows task configured with the gMSA starts on a server where it has been installed, the server requests the current password and uses it to start the process. What does this mean for network resource access when a service has not been restarted in a long time? what will happen when a service that has been running pass a password reset tries to make a connection to the database (on a separate SQL Server where the gMSA in not installed but has been given Read/Write over the DB) or access a file on a network share, etc.?
Could someone with knowledge/experience here explain? are these accounts really maintenance free and can we just configure them, start all and forget about it?