Active Directory · Term

What is a gMSA?

A Group Managed Service Account is a service account whose password Windows generates, rotates, and manages automatically, removing the weak human-chosen passwords that make Kerberoasting work. Here is what a gMSA is and where it still needs care.

Active Directory · TermAll services
TL;DR

A gMSA (Group Managed Service Account) is a service account whose password is generated and rotated automatically by Active Directory, typically a 240-character value that changes on a schedule and that no human ever sees. Because the password is long and random, gMSAs defeat Kerberoasting and Silver Tickets, which rely on cracking a weak service-account password. They are the recommended fix for service accounts, with one caveat: control over who can read the gMSA password must still be tight.

By John Dill, Red Team Lead, SecureLayer7Updated

What a gMSA is

Ordinary service accounts often carry weak, static, human-chosen passwords that never change, the perfect target for Kerberoasting. A gMSA removes that problem: Active Directory manages the password for you.

The domain generates a long, random password (around 240 characters), rotates it automatically (commonly every 30 days), and lets only authorised host computers retrieve the current password when their service starts. No administrator types or knows it.

Why it defeats attacks (and the one caveat)

gMSAs neutralise the cracking-based attacks:

  • Kerberoasting fails because the 240-character password cannot be cracked offline in any realistic time.
  • Silver Tickets fail for the same reason, since they need the service-account hash.

The caveat is the ReadGMSAPassword right: whichever principals are allowed to read the gMSA password (the msDS-GroupMSAMembership setting) effectively hold the account. If an attacker compromises one of those principals, they can retrieve the password:

  • gMSADumper.py -u user -p pass -d corp.local or BloodHound’s ReadGMSAPassword edge

So gMSAs move the risk from "crackable password" to "who can read it," which is a far smaller, auditable surface.

How to use gMSAs well

  • Migrate service accounts to gMSAs so passwords are long, random, and auto-rotated.
  • Restrict msDS-GroupMSAMembership to only the hosts that genuinely run the service.
  • Audit ReadGMSAPassword rights with BloodHound and remove needless ones.
  • Keep gMSAs out of privileged groups so a compromised one is not also an admin.
  • Ensure the KDS root key is deployed and protected, as it underpins gMSA password generation.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Best Practices for Securing Active Directory(Microsoft)
  3. [3]Microsoft: Kerberos Authentication Overview(Microsoft)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.