Information technology tools and resources at the UW
20140312: Group Managed Service Account capability release
A new capability is available. Some minor changes (e.g. OU permissions) have happened to enable this.
What and When:
Delegated OU customers are now able to create, delete, and manage Group Managed Service Accounts (gMSAs). This provides a self-service, higher-security option for non-interactive applications, services, and scheduled tasks that run automatically but need a security credential.
What you need to do:
You may want to re-evaluate the credentials used by any existing Windows-based applications, services, or scheduled tasks and consider using a gMSA instead. In particular, gMSAs provide an excellent solution for these non-interactive processes for the scenario where an IT administrator leaves. You don’t need to manually change all the passwords known by that IT administrator or accept a risk by not changing those passwords.
See http://www.netid.washington.edu/documentation/groupManagedServiceAccounts.aspx for how to get started.
Note that gMSAs are more like AD computer accounts than like AD user accounts, and gMSAs are not UW NetIDs. gMSAs can be members of UW Groups.
If you have questions about this new capability, either respond to this email over on the firstname.lastname@example.org mailing list, or send email to email@example.com with “UWWI gMSAs” in the subject line to get someone from the UWWI service team.