Stay organized with collectionsSave and categorize content based on your preferences.
This topic shows you how to create a group Managed Service Account (gMSA) in
Managed Service for Microsoft Active Directory. You should followthese standard instructionsfor setting up the account and incorporate the following special considerations
for Managed Microsoft AD.
Do not create KDS root key
Usually, the first time you create a gMSA in a domain, you need to generate a
Key Distribution Service (KDS) root key. Managed Microsoft AD generates a KDS
root key for you when you create the domain, so you can skip that step fromthe standard instructions.
To view the KDS root key, complete the following steps:
In Windows, launch the Active Directory Sites and Services tool. To launch
this tool, you can open theRuncommand dialog box, and then enterdssite.msc.
In theActive Directory Sites and Servicestool, select theViewtab.
In theViewmenu, selectShow Services Node.
In the left pane, selectServices > Group Key Distribution Service > Master
Root Keys.
The right pane shows a list of keys for your domain. Select a key to view its
details.
Note that running theGet-KdsRootKeyPowerShell cmdlet returns an empty
response even though a valid KDS root key exists. You can only see the key when
you run theGet-KdsRootKeycmdlet as the Domain Admin.
Create account underManaged Service Accountscontainer
For a Managed Microsoft AD domain, new gMSAs should be created
under theManaged Service Accountscontainer. By default,
theNew-ADServiceAccountcmdlet creates new gMSAs in this location. For more information, seeNew-ADServiceAccountcmdlet.
Delegate administration ofManaged Service Accounts
You can delegate the administration of theManaged Service Accountscontainer to a user by
adding them toCloud Service Managed Service Account Administratorsgroup.
For more information about the groups that Managed Microsoft AD creates for you, seeGroups.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Create a group Managed Service Account\n\nThis topic shows you how to create a group Managed Service Account (gMSA) in\nManaged Service for Microsoft Active Directory. You should follow\n[these standard instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts#create-a-group-managed-service-account)\nfor setting up the account and incorporate the following special considerations\nfor Managed Microsoft AD.\n\nDo not create KDS root key\n--------------------------\n\nUsually, the first time you create a gMSA in a domain, you need to generate a\nKey Distribution Service (KDS) root key. Managed Microsoft AD generates a KDS\nroot key for you when you create the domain, so you can skip that step from\n[the standard instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts#create-a-group-managed-service-account).\n\n### View the KDS root key\n\nBefore you begin, be sure that the Active Directory Sites and Services tool is\ninstalled from\n[Remote Server Administration Tools (RSAT)](https://support.microsoft.com/en-us/help/2693643/remote-server-administration-tools-rsat-for-windows-operating-systems).\n\nTo view the KDS root key, complete the following steps:\n\n1. In Windows, launch the Active Directory Sites and Services tool. To launch this tool, you can open the **Run** command dialog box, and then enter `dssite.msc`.\n2. In the **Active Directory Sites and Services** tool, select the **View** tab.\n3. In the **View** menu, select **Show Services Node**.\n4. In the left pane, select **Services \\\u003e Group Key Distribution Service \\\u003e Master\n Root Keys**.\n5. The right pane shows a list of keys for your domain. Select a key to view its details.\n\nNote that running the `Get-KdsRootKey` PowerShell cmdlet returns an empty\nresponse even though a valid KDS root key exists. You can only see the key when\nyou run the `Get-KdsRootKey` cmdlet as the Domain Admin.\n\nCreate account under `Managed Service Accounts` container\n---------------------------------------------------------\n\nFor a Managed Microsoft AD domain, new gMSAs should be created\nunder the `Managed Service Accounts` container. By default,\nthe `New-ADServiceAccount` cmdlet creates new gMSAs in this location. For more information, see\n[`New-ADServiceAccount`cmdlet](https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount?view=windowsserver2022-ps).\n\nDelegate administration of `Managed Service Accounts`\n-----------------------------------------------------\n\nYou can delegate the administration of the `Managed Service Accounts` container to a user by\nadding them to `Cloud Service Managed Service Account Administrators` group.\nFor more information about the groups that Managed Microsoft AD creates for you, see [Groups](/managed-microsoft-ad/docs/objects#groups)."]]
