none
AD Managed Service Accounts in SharePoint 201X RRS feed

  • Question

  • Good Morning SharePoint Community,

    I wanted to ask from your different/professional perspectives the implications, pros and cons of using Active Directory Managed Service Accounts for my SharePoint Farms. (I'm not talking about SharePoint Managed Accounts but AD Managed accounts. Cool article with the differences here

    At a first glance I believe I cannot switch a regular active directory account in to a managed service account. So I have a couple of questions for you all. I found this here which says you absolutely can, however I'm more asking you about the implications and if it really is possible/feasible.

    • Does it mean I have to re-build my farm say if I need to turn my SPFarmAdmin account to AD  Managed Accounts? Or
    • Is there a way to swap accounts without rebuilding the farm?
    • Can I install SharePoint with my personal elevated account or is it a MUST to install it using the "SPFarmAdmin" service account?
    • Can I install patches and run the SharePoint configuration wizard with an elevated (personal not service account) admin account  other than "SPFarmAdmin"?

    I will definitely do my homework, however I would really appreciate any input.

    Thank you!
    OT


    OT

    Thursday, October 3, 2019 6:17 PM

Answers

All replies

  • SharePoint does not support Active directory gMSA/MSAs. SQL does, however, and you should use it for SQL Server. This is the definitive guide for SharePoint accounts:

    https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/plan-for-administrative-and-service-accounts


    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Oliver_Tech Thursday, October 3, 2019 9:03 PM
    Thursday, October 3, 2019 7:58 PM
    Moderator
  • Thank you Trevor for taking the time to reply.

    I checked the article you kindly provided and it does mention that SQL supports gMSA but it doesn't specify that SharePoint does not support them. Maybe it is implied since it is not mentioned in the article, I was just looking for some hard evidence to prove to my boss before I embark in the task of "giving it a try".


    Thank you!
    DM


    OT

    Thursday, October 3, 2019 8:41 PM
  • SharePoint doesn't support them. It isn't aware of (g)MSAs so when the password rolls, SharePoint services will stop working. I'll make a note in that article that (g)MSAs are not supported for SharePoint services and update this thread when the PR gets merged.

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, October 3, 2019 8:47 PM
    Moderator
  • You can follow the PR status at https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/pull/1411.

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, October 3, 2019 9:05 PM
    Moderator
  • I also found this article but the warning he refers to is no where to be found...

    OT

    Thursday, October 3, 2019 10:16 PM
  • SharePoint has it's own concept of 'Managed Accounts'. They're still standard Domain User accounts and don't have some of the security benefits of (g)MSAs. What they do offer is automatic password change with automatic service restart. There are a couple of exceptions (accounts defined in a Secure Store App or UPSA Sync account).

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, October 3, 2019 10:31 PM
    Moderator
  • Thank you very much Trevor. I see the article updated. I really appreciate it!

    OT

    OT

    Friday, October 4, 2019 4:50 PM