Native Support for Group Managed Service Accounts (gMSA)

Idea created by LanceCole on Mar 16, 2019
    In Product Plan
    Score60
    • ccameron_ResponseGroup
    • jay.gregory
    • LanceCole
    • jtimm
    • dewright_ca
    • bixb0012

    As we are working our way through a multi-server enterprise deployment we initially set up a domain service account for Portal, ArcGIS Servers, Data Store, etc. in our development environment. As our policy does not allow for accounts with passwords that do not expire in production environments we have manually changed the service accounts on these servers to a Group Managed Service Account (gMSA).  Unfortunately, the Configure ArcGIS Server Account utility and related equal utilities do not support using a gMSA as the password is managed by Active Directory and is not known to be input.  We manually have set all the folder permissions to include the gMSA and changed the account via windows services for these servers.  So far the servers are running and receiving new passwords every 30 days. However, it would be great if this was natively supported in the ArcGIS server components.  It was very difficult to track down all the folders requiring permissions to be set for the ArcGIS service account and manually add the gMSA.

     

    The main advantage of a gMSA is the password is managed by windows Active Directory and automatically changed at a default interval of 30days.  The Password is complex and well secured based upon a key managed by AD.  We have used this method for our IIS and SQL servers since its initial availability in MS Server 2012 AD as well using local MSA prior MS Server versions.