Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Managed Service Accounts(mSA) / Group Managed Service Accounts(gMSA) with Specops Password Policy

To start, MSAs and gMSAs are Active Directory accounts that can be tied to a server(MSAs), or a group of servers(gMSAs). Windows/AD automatically handle the password management of these accounts. As a result, we have simpler process to run services, while Windows/AD secure the passwords for these accounts.

For more information on gMSAs see Microsoft documentation here. For information on mSAs see the post here.

One important piece to note about MSAs:

MSA’s, like computers, do not observe domain or fine-grained password policies. MSA’s use a complex, automatically generated password (240 bytes, which is 120 characters, and cryptographically random

If we take a look at the properties of our Managed Service Accounts folder in AD Users and Computers.

We can see that is of class Container. This is important for us because Group Policies do not apply to containers.

How does Specops Password Policy fit in?

Specops Password Policy only applies to user objects within OUs affected by a group policy with Specops Password Policy settings.

As a result, Specops Password Policy does not apply to gMSAs/mSAs.

March 11, 2021

Was this article helpful?

Related Articles