Event banner
Event details
So, dMSA is a total replacement for MSA and gMSA?
In order words, we use gMSA extensively. After upgrading to WS25, I should change them all to dMSA?
Also, does this require WS25 domain controllers, or WS25 clients, or both?
Can a dMSA be used for a service running on, say, Windows Server 2022?
MicrosoftFor now, you can only migrate traditional service accounts to DMSA (Delegated Managed Service Account). Migrating MSA (managed service account) and gMSA (group managed service account) to DMSA are not supported yet. For DMSA, both the domain controller and the client need to be based on Windows Server 2025.
- So, dMSA is not a replacement for MSA or gMSA, just normal "user" accounts? What about the requirements for dMSA? Does this require WS25 domain controllers, or WS25 clients, or both?
- Ram_Jeyaraman
Yes, presently only service accounts can be migrated to DMSA. MSA and gMSA are not supported yet. DMSA requires both the domain controller and the client to be based on Windows Server 2025.
- Thank you for the clarification!
- hope you don't mind a follow-up question. So traditional service account means traditional AD user with "username / password" based? Can he keep his gMSA or should be create new dMSA instead?
- Ram_Jeyaraman
Traditional service accounts meaning user accounts in AD that provide security credentials for services or applications running on the OS. More often than not, those accounts use weak passwords, which are often reused across multiple accounts, and often those passwords do not get rotated. Such service accounts are attractive targets for attackers. With, DMSA (delegated managed service account), service accounts are bound to the machine identity and thus do not use passwords.
