Active Directory & Azure AD/Entra ID Security

Active Directory & Azure AD/Entra ID: Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Tag: GMSA

Nov 04 2025

Active Directory Security Tip #14: Group Managed Service Accounts (GMSAs)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, PowerShell, Technical Reference

Group Managed Service Accounts (GMSAs) User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. This means that the GMSA has to have security principals explicitly delegated …

ActiveDirectorySecurityTip, GMSA, GroupManagedServiceAccount, msDS-GroupManagedServiceAccount, msDS-GroupMSAMembership, msds-ManagedPassword, msDS-ManagedPasswordId, msDS-ManagedPasswordInterval, PrincipalsAllowedToRetrieveManagedPassword

May 29 2020

Attacking Active Directory Group Managed Service Accounts (GMSAs)

By Sean Metcalf in ActiveDirectorySecurity, Hacking, Microsoft Security

In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called “Securing Active Directory: Resolving Common Issues” and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.I …

clear-text password, Computer Account, ConvertTo-NTHash, DSInternals, Get-ADReplAccount, Get-ADServiceAccount, GMSA, GMSA password, GMSA password hash, GMSA SPN, Group Managed Service Accounts, Kerberos, Kerberos SPN, LSASS, mimikatz, msDS-GroupManagedServiceAccount, msDS-GroupMSAMembership, msds-ManagedPassword, msDS-ManagedPasswordId, msDS-ManagedPasswordInterval, msDS-ManagePasswordInterval, PrincipalsAllowedToRetriveManagedPassword, PSEXEC, Sekurlsa::ekeys, sekurlsa::logonpasswords, service principal name, ServicePrincipalNames, SPN, SYSTEM, _SA_

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2025.

Made with by Graphene Themes.

Tag: GMSA

Active Directory Security Tip #14: Group Managed Service Accounts (GMSAs)

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Tag: GMSA

Active Directory Security Tip #14: Group Managed Service Accounts (GMSAs)

Attacking Active Directory Group Managed Service Accounts (GMSAs)

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright