Today we have started testing running the windows robots using the windows group managed service account (gMSA).
Why: recent security audits have requested that we need to move away from normal service accounts with non-expiring passwords.
gMSA are available with AD running Server 2012 context. These accounts have passwords that are changed/managed by the AD (they are changed every 30 days) but you cannot do an interactive login with this type of account, otherwise they are the same as a standard service account.
For several years now we have been running the nimbus service as a domain service account so this did not seem like a big change.
What we have done so far is:
1. Create AD gMSA object (gMSA-DXIM-nimbus) and assign it to the computer objects where we will be doing the test
2. reboot the robot server (gpupdate does not seem to be enough) so that it now has membership in the gMSA-DXIM-robot security group
3. run the powershell module "Install-ADServiceAccount gMSA-DXIM-nimbus" (we had to install the module with Server Manager feature Remote Server Admin -> AD DS and AD LDS tools -> Active Directory module for Windows Powershell)
4. stop the "nimbus robot watcher" service
5. change the "nimbus robot watcher" service to login as gMSA-DXIM-nimbus
$ with no password (it
must be null)
6. changed to ownership of the nimsoft directory to the gMSA-DXIM-nimbus account
7. started "nimbus robot watcher" service
Everything works as expected so far, we just need to wait 30 days for the first password change and do a restart of the service to check that windows does its thing correctly.
Does anyone have experience using this type of account? are their other things that we should consider? Any thoughts about how we can get away with not doing the reboot?
Thanks, Andrew