Windows Server 2012 features explained: Group Managed Service Accounts (GMSAs)

Is your Windows application working on server operating systems, and is it perhaps a Windows service application, running behind the scenes without user interaction? If yes, then you need to become aware of a feature in Windows Server 2012 called Group Managed Service Accounts or GMSAs.

In Windows, service applications need an account to run with, and oftentimes, this is an account with administrative privileges (such as domain admin) or even the built-in Local System account. Now, many administrators prefer to use a custom domain account and so type in a custom username and password in the service's configuration. This is good, except for one this: rarely, do the IT administrators have the time to actually update these passwords after the service has been configured.

Although changing the password in Active Directory is easy, you would need to re-type the same password to multiple places. In a large enterprise where there are numerous service applications to administer, this is considerable work. Here, Group Managed Service Accounts come to the rescue.

The details can be found here. Shortly put, GSMAs give control of the password of the service account to the operating system, which will automatically and periodically change the password, based on pre-defined criteria by the administrator. All these criteria are specified centrally using group policies, thus the name.

Shortly put: a very nice feature available from Windows Server 2012 onwards. If you are developing service applications for Windows with C#/.NET or some other language of your choice, be sure to inform your customers about this feature. I'm pretty sure your customer will thank you.