Event details

If you have an on-premises Active Directory environment, you do not want to miss this session! The AD product group will present and demonstrate some of the new AD capabilities coming in Windows Serv...
Char_Cheesman
Updated Dec 27, 2024
Tony_Pombo's avatar
Tony_Pombo
Iron Contributor
Mar 28, 2024
I don't understand the purpose of DMSA. Why not just move to "old school" MSA or the newer GMSA? Is it just a way to move to a MSA-thing without touching the server where the account is being used? Is there some other benefit I am overlooking? It seems to me that someday, you'll need/want to clean up the old account and touch the "calling servers" anyway.
Wayne_McIntyre's avatar
Wayne_McIntyre
Icon for Microsoft rankMicrosoft
Mar 29, 2024
In addition to the management benefit of moving to a more secure account that Cliff mentioned. There are also direct security improvements of a dmsa over a gmsa. The main one being that dmsa can further be protected by machine binding the credentials with credguard to the machine. Additionally, the password is never sent over the wire, the keys will be exchanged via Kerberos protocol rather than ldap sending the password.