Windows – Using group managed service accounts on OS version < Windows 2012

active-directorymanaged-service-accountswindowswindows 7windows-server-2012

Trying to leverage benefit of Group-Managed Service Accounts (gMSA) but have a mixed environment. My guide was this blog post: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/

I've implemented as in the guide, tested on a Server 2012+ machine. BUT now I want to use same gMSA account to run the same service as above on a Windows 7 machine. Running this step that Win7 box:

Install-ADServiceAccount gMSA-account-name

results in Cannot Find an object with identity "gMSA-account-name". This remains true if I identify this account via GUID, SID, or full Distinguished Name path.

Searching WWW doesn't answer if I can use such an account on OS's earlier than Server 2012, i.e. Windows 7. I'd imagine if such a thing were possible, somehow extending the AD schema such that Win7 can understand this new type of account would be required (via ADMX files?)

Thanks for looking!

Best Answer

The desktop version of Windows that corresponds with Windows Server 2012 is Windows 8. So you need at least Windows 8 or newer to use gMSAs. Only non-group MSAs can be used on Windows 7 (and 2008 R2).

Group Managed Service Accounts Overview

Managed Service Accounts (and Virtual Computer Accounts) apply to both Windows Server 2008 R2 and Windows Server 2012. Group Managed Service Accounts can only be configured and administered on computers running Windows Server 2012 but can be deployed as a single service identity solution in domains that still have some DCs running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements.

It is highly unlikely that Microsoft will back port the functionality necessary to implement gMSAs on what are now legacy OSes.

Related Topic