https://leikah.haoyingcao.xyz/en/tags/group-managed-service-account/Recent content in Group Managed Service Account on LEIKAHHugoenhttps://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/gmsa/Mon, 01 Jan 0001 00:00:00 +0000https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/gmsa/<p>The need to protect service accounts against attacks such as Kerberoasting gave rise to <strong>Managed Service Accounts (MSA)</strong> and later <strong>Group Managed Service Accounts (gMSA)</strong>. While both supports automatic password generation and rotation, the latter allows the same service accounts to be used acrossed different machines.</p> <p>Members of the group that manage the gMSA are intended to be the machine accounts of the computers where the service account will be deployed on. Members have the ability to read the password hash of the service account (<code>ReadGMSAPassword</code>).</p>