Skip to main content

NIM

Configure Group Managed Service Account for Active Directory

A growing trend among our customers incorporating cyber insurance policies into their organizations. These policies often mandate enhanced security measures, including the removal of the account running the Windows service from the 'Domain Administrators' group. This is a strategic move to bolster security.

To address this, we recommend creating a Group Managed Service Account (GMSA) in Active Directory. This solution allows the Windows service to operate elevated rights without granting interactive login privileges. Furthermore, the GMSA ensures robust security by having a strong, user-unknown password that Active Directory automatically manages and resets every 30 days to a new, secure value.

Please execute the following steps directly from your NIM server within a PowerShell console. This approach maintains the necessary level of access for the NIM service while adhering to the enhanced security requirements of cyber insurance policies.

  1. Create the new GMSA in Active Directory.

    New-ADServiceAccount -Name <NAMEOFACCOUNT> –RestrictToSingleComputer

    Note

    By default, any GMSA is created in the container CN=Managed Service Accounts, but you can change the OU using the Path parameter. For security we have the -RestrictToSingleComputer parameter added. This will allow the GMSA to only be attached to a single server.

  2. Link your GMSA to the target computer (NIM Server). In this context '-Identity' refers to the server name where we would like to use the MSA.

    $TargetServer = Get-ADComputer -identity <NIMSERVERNAMEHERE>
Add-ADComputerServiceAccount -Identity $TargetServer -ServiceAccount <NAMEOFACCOUNT>

  3. To verify the MSA account was created use this command.

    Get-ADServiceAccount <NAMEOFACCOUNT>

  4. Install the GMSA on the server.

    Install-ADServiceAccount -Identity <NAMEOFACCOUNT>

  5. Check if the GMSA is installed correctly. If the command returns True, everything is configured correctly.

    Test-ADServiceAccount <NAMEOFACCOUNT>
Configure Permissions

The GMSA account needs to be assigned to a group in Active Directory that has been delegated the needed permissions on specific OUs or on the entire domain. Please execute the following steps to assign permissions to the newly created GMSA

  1. Create a new group to assign permissions to the managed service account

  2. Add the MSA as a member to the group

  3. In ADUC, right click on the domain root or on a specific OU and select Delegate Control...

  4. Add the group from step 1

  5. Select the following common tasks to delegate:

    1. Create, delete, and manage user accounts

    2. Reset user passwords and force password change at next logon

    3. Read all user information

    4. Modify the membership of a group

In this section: