DX Unified Infrastructure Management

​Today we have started testing running the windows robots using the windows group managed service account (gMSA).

Why: recent security audits have requested that we need to move away from normal service accounts with non-expiring passwords.

gMSA are available with AD running Server 2012 context.  These accounts have passwords that are changed/managed by the AD (they are changed every 30 days) but you cannot do an interactive login with this type of account, otherwise they are the same as a standard service account.

For several years now we have been running the nimbus service as a domain service account so this did not seem like a big change.

What we have done so far is:
1. Create AD gMSA object (gMSA-DXIM-nimbus) and assign it to the computer objects where we will be doing the test
2. reboot the robot server (gpupdate does not seem to be enough) so that it now has membership in the gMSA-DXIM-robot security group
3. run the powershell module "Install-ADServiceAccount gMSA-DXIM-nimbus" (we had to install the module with Server Manager feature Remote Server Admin -> AD DS and AD LDS tools -> Active Directory module for Windows Powershell)
4. stop the "nimbus robot watcher" service
5. change the "nimbus robot watcher" service to login as gMSA-DXIM-nimbus$ with no password (it must be null)
6. changed to ownership of the nimsoft directory to the gMSA-DXIM-nimbus account
7. started "nimbus robot watcher" service 

Everything works as expected so far, we just need to wait 30 days for the first password change and do a restart of the service to check that windows does its thing correctly.

Does anyone have experience using this type of account? are their other things that we should consider?  Any thoughts about how we can get away with not doing the reboot?

Thanks, Andrew

Unfortunately, the dev team and QA have not tested implemented or tested this so it is not supported.
I could not find any information on this from a support perspective.
There is a current Idea out there for but it only has 3 votes.
https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=cf4eb7af-5c2f-46e6-8545-2a55f2147043

------------------------------
[Designation]
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 06-21-2019 09:11 AM
From: Andrew Cooper
Subject: NimBus running as Windows group managed service account

​Today we have started testing running the windows robots using the windows group managed service account (gMSA).

Why: recent security audits have requested that we need to move away from normal service accounts with non-expiring passwords.

gMSA are available with AD running Server 2012 context.  These accounts have passwords that are changed/managed by the AD (they are changed every 30 days) but you cannot do an interactive login with this type of account, otherwise they are the same as a standard service account.

For several years now we have been running the nimbus service as a domain service account so this did not seem like a big change.

What we have done so far is:
1. Create AD gMSA object (gMSA-DXIM-nimbus) and assign it to the computer objects where we will be doing the test
2. reboot the robot server (gpupdate does not seem to be enough) so that it now has membership in the gMSA-DXIM-robot security group
3. run the powershell module "Install-ADServiceAccount gMSA-DXIM-nimbus" (we had to install the module with Server Manager feature Remote Server Admin -> AD DS and AD LDS tools -> Active Directory module for Windows Powershell)
4. stop the "nimbus robot watcher" service
5. change the "nimbus robot watcher" service to login as gMSA-DXIM-nimbus$ with no password (it must be null)
6. changed to ownership of the nimsoft directory to the gMSA-DXIM-nimbus account
7. started "nimbus robot watcher" service 

Everything works as expected so far, we just need to wait 30 days for the first password change and do a restart of the service to check that windows does its thing correctly.

Does anyone have experience using this type of account? are their other things that we should consider?  Any thoughts about how we can get away with not doing the reboot?

Thanks, Andrew

HI, I am sorry I did not look closer at that Idea!!
that idea was not for UIM it was for Workload automation.

I would suggest you create an Idea for UIM and then the UIM product management team can respond to this.
Also, watch for roadmap sessions posted here on the communities.
These are good to attend as you get to ask the product management team questions directly on those sessions.


------------------------------
[Designation]
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 06-21-2019 09:34 AM
From: Gene HOWARD
Subject: NimBus running as Windows group managed service account

Unfortunately, the dev team and QA have not tested implemented or tested this so it is not supported.
I could not find any information on this from a support perspective.
There is a current Idea out there for but it only has 3 votes.
https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=cf4eb7af-5c2f-46e6-8545-2a55f2147043

------------------------------
[Designation]
Principal Support Engineer
Broadcom

Original Message:
Sent: 06-21-2019 09:11 AM
From: Andrew Cooper
Subject: NimBus running as Windows group managed service account

​Today we have started testing running the windows robots using the windows group managed service account (gMSA).

Why: recent security audits have requested that we need to move away from normal service accounts with non-expiring passwords.

gMSA are available with AD running Server 2012 context.  These accounts have passwords that are changed/managed by the AD (they are changed every 30 days) but you cannot do an interactive login with this type of account, otherwise they are the same as a standard service account.

For several years now we have been running the nimbus service as a domain service account so this did not seem like a big change.

What we have done so far is:
1. Create AD gMSA object (gMSA-DXIM-nimbus) and assign it to the computer objects where we will be doing the test
2. reboot the robot server (gpupdate does not seem to be enough) so that it now has membership in the gMSA-DXIM-robot security group
3. run the powershell module "Install-ADServiceAccount gMSA-DXIM-nimbus" (we had to install the module with Server Manager feature Remote Server Admin -> AD DS and AD LDS tools -> Active Directory module for Windows Powershell)
4. stop the "nimbus robot watcher" service
5. change the "nimbus robot watcher" service to login as gMSA-DXIM-nimbus$ with no password (it must be null)
6. changed to ownership of the nimsoft directory to the gMSA-DXIM-nimbus account
7. started "nimbus robot watcher" service 

Everything works as expected so far, we just need to wait 30 days for the first password change and do a restart of the service to check that windows does its thing correctly.

Does anyone have experience using this type of account? are their other things that we should consider?  Any thoughts about how we can get away with not doing the reboot?

Thanks, Andrew

Gene

I have created a new Ideation as suggested here Idea Details - Broadcom Community - Discussion Forums, Technical Docs, and Expert Blogs

Broadcom		remove preview
Idea Details - Broadcom Community - Discussion Forums, Technical Docs, and Expert Blogs View this on Broadcom >

Cheers Andrew
Original Message:
Sent: 06-21-2019 10:20 AM
From: Gene HOWARD
Subject: NimBus running as Windows group managed service account

HI, I am sorry I did not look closer at that Idea!!
that idea was not for UIM it was for Workload automation.

I would suggest you create an Idea for UIM and then the UIM product management team can respond to this.
Also, watch for roadmap sessions posted here on the communities.
These are good to attend as you get to ask the product management team questions directly on those sessions.


------------------------------
[Designation]
Principal Support Engineer
Broadcom

Original Message:
Sent: 06-21-2019 09:34 AM
From: Gene HOWARD
Subject: NimBus running as Windows group managed service account

Unfortunately, the dev team and QA have not tested implemented or tested this so it is not supported.
I could not find any information on this from a support perspective.
There is a current Idea out there for but it only has 3 votes.
https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=cf4eb7af-5c2f-46e6-8545-2a55f2147043

------------------------------
[Designation]
Principal Support Engineer
Broadcom

Original Message:
Sent: 06-21-2019 09:11 AM
From: Andrew Cooper
Subject: NimBus running as Windows group managed service account

​Today we have started testing running the windows robots using the windows group managed service account (gMSA).

Why: recent security audits have requested that we need to move away from normal service accounts with non-expiring passwords.

gMSA are available with AD running Server 2012 context.  These accounts have passwords that are changed/managed by the AD (they are changed every 30 days) but you cannot do an interactive login with this type of account, otherwise they are the same as a standard service account.

For several years now we have been running the nimbus service as a domain service account so this did not seem like a big change.

What we have done so far is:
1. Create AD gMSA object (gMSA-DXIM-nimbus) and assign it to the computer objects where we will be doing the test
2. reboot the robot server (gpupdate does not seem to be enough) so that it now has membership in the gMSA-DXIM-robot security group
3. run the powershell module "Install-ADServiceAccount gMSA-DXIM-nimbus" (we had to install the module with Server Manager feature Remote Server Admin -> AD DS and AD LDS tools -> Active Directory module for Windows Powershell)
4. stop the "nimbus robot watcher" service
5. change the "nimbus robot watcher" service to login as gMSA-DXIM-nimbus$ with no password (it must be null)
6. changed to ownership of the nimsoft directory to the gMSA-DXIM-nimbus account
7. started "nimbus robot watcher" service 

Everything works as expected so far, we just need to wait 30 days for the first password change and do a restart of the service to check that windows does its thing correctly.

Does anyone have experience using this type of account? are their other things that we should consider?  Any thoughts about how we can get away with not doing the reboot?

Thanks, Andrew