Overview#Group Managed Service Account (gMSA) is a MSA within the AD DOMAIN that provides automatic Password Management, simplified ServicePrincipalName (SPN) management and the ability for Delegation the management to other administrators over multiple servers.
Group Managed Service Account when connecting to a service hosted on a server farm, such as Network Load Balanced solution, the Authentication Protocols Mutual Authentication require that all instances of the services use the same ServicePrincipalName. When a Group Managed Service Account is used as service principals, the Windows operating system manages the password for the MSA.
The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Microsoft Active Directory account. The Key Distribution Service shares a secret which is used to create keys for the account. These keys are periodically changed. For a gMSA the domain controller computes the password on the key provided by the Key Distribution Services, in addition to other attributes of the gMSA. Member hosts can obtain the current and preceding password values by contacting a domain controller.
Group Managed Service Account are Microsoft Active Directory ObjectClass of msDS-GroupManagedServiceAccount and typically have a User-Account-Control Attribute Value of WORKSTATION_TRUST_ACCOUNT (4096)