Trying to leverage benefit of Group-Managed Service Accounts (gMSA) but have a mixed environment. My guide was this blog post: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
I've implemented as in the guide, tested on a Server 2012+ machine. BUT now I want to use same gMSA account to run the same service as above on a Windows 7 machine. Running this step that Win7 box:
Install-ADServiceAccount gMSA-account-name
results in Cannot Find an object with identity "gMSA-account-name". This remains true if I identify this account via GUID, SID, or full Distinguished Name path.
Searching WWW doesn't answer if I can use such an account on OS's earlier than Server 2012, i.e. Windows 7. I'd imagine if such a thing were possible, somehow extending the AD schema such that Win7 can understand this new type of account would be required (via ADMX files?)
Thanks for looking!
Best Answer
The desktop version of Windows that corresponds with Windows Server 2012 is Windows 8. So you need at least Windows 8 or newer to use gMSAs. Only non-group MSAs can be used on Windows 7 (and 2008 R2).
Group Managed Service Accounts Overview
It is highly unlikely that Microsoft will back port the functionality necessary to implement gMSAs on what are now legacy OSes.