!!! Overview
[{$pagename}] ([gMSA]) is a [MSA] within the [AD DOMAIN] that provides automatic [Password Management], simplified [ServicePrincipalName] ([SPN]) management and the ability for [Delegation] the management to other administrators over multiple servers. 


[{$pagename}] when connecting to a service hosted on a server farm, such as Network Load Balanced solution, the [Authentication Protocols] [Mutual Authentication] require that all instances of the services use the same [ServicePrincipalName]. When a [{$pagename}] is used as service principals, the Windows operating system manages the password for the [MSA].

The [Microsoft] [Key Distribution Service|Key Distribution Center] (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an [Microsoft Active Directory] account. The Key Distribution Service shares a secret which is used to create keys for the account. These keys are periodically changed. For a gMSA the domain controller computes the password on the key provided by the Key Distribution Services, in addition to other attributes of the gMSA. Member hosts can obtain the current and preceding password values by contacting a domain controller.

[{$pagename}] are [Microsoft Active Directory] [ObjectClass] of [msDS-GroupManagedServiceAccount] and typically have a [User-Account-Control Attribute Value] of [WORKSTATION_TRUST_ACCOUNT] (4096)

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]