Using gMSA in Cayosoft Guardian
A Group Managed Service Account (gMSA) is a type of service account in Windows Active Directory that is used to automate password management for services, applications, or scheduled tasks without needing to manually manage credentials. For more information about gMSA, see Benefits of gMSAs | Microsoft Learn and Choose the right type of service account | Microsoft Learn.
In Cayosoft Guardian, a gMSA can be employed to run services securely. It ensures that the service account's password is automatically managed and periodically updated by Active Directory, reducing the risks associated with manually maintaining and rotating passwords. Using a gMSA also allows for the delegation of permissions needed to perform specific tasks while keeping the account secure across multiple servers.
Accounts for gMSA
Cayosoft Guardian can create a gMSA account with read-only and Admin and this can be used as a connection account. In case of having an already created account, the existing system account should be replaced with a GMSA account. For more details on how to manage domains and partitions, see Configuration: Add a Domain.
After establishing a connection between the AD connector and Guardian, you can set which domain the AD connector will serve. For more information on how to set up the domains, see Configuration: Add a Domain.
Permissions and group membership for gMSA in Cayosoft Guardian
In Cayosoft Guardian gMSAs securely manage services and connections with automatic password management. Two types of gMSA accounts are used with Guardian: Admin gMSA and Read-only gMSA. Each serves specific roles in Guardian's operation, especially in environments where administrative privileges are carefully managed or restricted.
Read-only gMSA
The Read-only gMSA account is designed for users who prefer not to use a service account with Domain Admin rights. This account can be leveraged as a connection account for non-intrusive operations that require basic read-only access to Active Directory. Refer to the following common use cases:
- Used as a connection account in environments where Domain Admin privileges are restricted.
- Can be elevated on a just-in-time (JIT) basis in change monitoring scenarios to allow temporary, limited administrative access.
NOTE: Automatic rollback is not supported with read-only gMSA.
Refer to the required permissions and group memberships:
| Setting | Description |
|---|---|
| Read-Only Access to AD | Access is restricted to read operations. |
| One Account per Domain | For non-domain naming contexts, the account is created in the corresponding security reference domain (e.g., root domain for Configuration naming contexts). |
| Group Memberships |
|
| Permissions | |
| Read Access to the Recycle Bin (Deleted Objects container) | Except for the Schema container (as there's no such container). |
| Replicating Directory Changes | Necessary to monitor and track directory modifications. |
Admin gMSA
The Admin gMSA account provides elevated privileges, typically required for more critical operations. This account is used as a connection account where security is a priority, with the advantage of automatic password management and heightened permissions for administrative tasks. Refer to the following common use cases:
- Used as a connection account to manage higher-level operations in the environment, such as security configurations or critical administrative tasks.
- Required for rollback scenarios where the temporary elevation of read-only gMSA is insufficient.
The Admin gMSA account requires the same permissions and group memberships required for Read-only gMSA accounts. Refer to the additional group memberships required:
- Member of the Domain Admins group for the domain Naming Context.
- Member of Enterprise Admins group for Configuration Naming Context and DNS partitions.
- Member of Schema Admins group for Schema Naming Context.
In-Place Temporary Elevation for Rollback (Read-Only gMSA)
The Read-Only gMSA can also be temporarily elevated to perform rollback actions in change monitoring scenarios. This approach ensures that privileges are granted only when needed, following just-in-time elevation principles, and minimizing security risks.
Settings for configuring and protecting gMSA accounts
Configuration settings
- Password change interval: 7 days
- Kerberos encryption types: AES 256
- Account delegation: Disabled
- Allowed principals: Limited to computer accounts where Guardian is installed
Domain and partition rights
gMSA accounts are granted the following rights to read Active Directory data:
- Replicate directory changes
- Read all properties
- List content
- List object
- Read permissions
Deleted Objects container rights
On the Deleted Objects container, gMSA accounts have the following rights:
- Read all properties
- List contents
- List object
- Read permissions
Access to security event logs
To read security event logs from Active Directory domain controllers, gMSA accounts are added to:
- Remote Management Users
- Event Log Readers
Access to Entra Connect instances
- On domain controllers: gMSA accounts are added to the ADSyncOperators group in Active Directory.
-
On member servers: gMSA accounts are added to the following local groups on the Entra Connect computers:
- ADSyncOperators
- Remote Management Users
Rollback operations
To roll back Active Directory changes, gMSA permissions must be elevated temporarily:
- The Cayosoft Guardian delegated admin provides credentials for a privileged AD account to add gMSA into the corresponding AD admin group.
- Depending on the type of change, gMSA might be added to:
- Domain Admins
- Enterprise Admins
- Schema Admins
- Administrators
- Once the rollback operation is complete, admin rights are revoked from the gMSA account(s).
Support in Cayosoft Guardian
- Read-Only Access to AD: Fully supported.
- One Account per Domain: Supported for both read-only and admin accounts.
- Replicating Directory Changes: Supported for both read-only and admin accounts.
- In-Place Temporary Elevation for Rollback: Supported with just-in-time elevation of read-only gMSA.
Comments
0 comments
Please sign in to leave a comment.