Managed Service Accounts(mSA) / Group Managed Service Accounts(gMSA) with Specops Password Policy
To start, MSAs and gMSAs are Active Directory accounts that can be tied to a server(MSAs), or a group of servers(gMSAs). Windows/AD automatically handle the password management of these accounts. As a result, we have simpler process to run services, while Windows/AD secure the passwords for these accounts.
One important piece to note about MSAs:
MSA’s, like computers, do not observe domain or fine-grained password policies. MSA’s use a complex, automatically generated password (240 bytes, which is 120 characters, and cryptographically random
If we take a look at the properties of our Managed Service Accounts folder in AD Users and Computers.
We can see that is of class Container. This is important for us because Group Policies do not apply to containers.
How does Specops Password Policy fit in?
Specops Password Policy only applies to user objects within OUs affected by a group policy with Specops Password Policy settings.
As a result, Specops Password Policy does not apply to gMSAs/mSAs.