We are looking to move away from standard service accounts on many of our applications primarily due to password rotation requirements. We are running Access Analyzer, NTM and NTP and are trying to determine if any of those products, either now or in the future, will support the use of GMSA accounts to replace the standard service accounts needed.
Thanks!
Hey Art!
As of right now, there is no official support for gMSA for Threat Manager (though this would be a good idea to submit!). I’ve got a new document in the works for using gMSA with Threat Prevention that I will link here when it goes live, shortly. As for Access Analyzer, please see below:
Access Analyzer - Partial Support
Several data collectors are supported for gMSA. This KB lists which are supported:
Access Information Center - Full Support
Hope this helps!
So for Access Analyzer, I only need to do the AD Inventory under a gMSA. Is there specific instructions for that in the doc?
Hey Art!
Make sure you meet the prerequisites listed here:
Then when you create the connection profile, for “Password Storage” you’ll select “Managed Service Account” (which will remove those password fields).
After that, just assign that connection profile to the Active Directory Inventory job and you’re good to go! (assuming your gMSA has the necessary permissions to run ADI)
