gMSA and Domain Users

%3CLINGO-SUB%20id%3D%22lingo-sub-1484903%22%20slang%3D%22en-US%22%3EgMSA%20and%20Domain%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1484903%22%20slang%3D%22en-US%22%3E%3CP%3ELooking%20for%20recommendations%20on%20the%20above%2C%20I%20want%20to%20use%20gMSA%20accounts%20in%20as%20many%20places%20as%20I%20can%20that%20support%20them%20as%20it%20makes%20management%20easier%20not%20having%20to%20deal%20with%20password%20changes%20however%20I%20ran%20into%20a%20snag%20with%20using%20it%20in%20IIS%20for%20an%20AppPool%2C%20in%20the%20scenario%20I%20am%20linking%20a%20UNC%20path%20to%20a%20virtual%20directory%20and%20that%20UNC%20path%20happens%20to%20be%20a%20DFS%20namespace.%20Now%20the%20default%20permissions%20on%20the%20file%20system%20don't%20allow%20access%20to%20a%20DFS%20namespace%20and%20I'm%20not%20really%20sure%20why%20as%20Users%20have%20Domain%20Users%20and%20Authenticated%20Users%20so%20I%20figured%20gMSA%20would%20be%20considered%20an%20Authenticated%20User%20but%20I%20guess%20it%20isn't%2C%20I%20can%20however%20add%20the%20gMSA%20to%20Domain%20Users%20or%20Users%20and%20everything%20works%20fine.%20Is%20there%20a%20recommended%20direction%20when%20using%20a%20gMSA%20in%20this%20fashion%3F%20Should%20I%20add%20the%20gMSA%20to%20the%20servers%20that%20it%20would%20be%20accessing%20for%20example%20to%20the%20file%20server%3F%20Is%20it%20common%20practice%20to%20add%20gMSA%20accounts%20to%20Domain%20Users%20so%20they%20have%20access%20to%20other%20network%20resources%3F%20I%20know%20Microsoft's%20recommendation%20is%20to%20use%20a%20gMSA%20if%20supported%20where%20you%20would%20use%20a%20Domain%20User%20for%20network%20access%20but%20a%20Domain%20Users%20by%20default%20belongs%20to%20Domain%20Users%20that%20is%20added%20to%20Users%20giving%20access%20to%20the%20local%20machine%20if%20using%20default%20permissions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1484903%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Looking for recommendations on the above, I want to use gMSA accounts in as many places as I can that support them as it makes management easier not having to deal with password changes however I ran into a snag with using it in IIS for an AppPool, in the scenario I am linking a UNC path to a virtual directory and that UNC path happens to be a DFS namespace. Now the default permissions on the file system don't allow access to a DFS namespace and I'm not really sure why as Users have Domain Users and Authenticated Users so I figured gMSA would be considered an Authenticated User but I guess it isn't, I can however add the gMSA to Domain Users or Users and everything works fine. Is there a recommended direction when using a gMSA in this fashion? Should I add the gMSA to the servers that it would be accessing for example to the file server? Is it common practice to add gMSA accounts to Domain Users so they have access to other network resources? I know Microsoft's recommendation is to use a gMSA if supported where you would use a Domain User for network access but a Domain Users by default belongs to Domain Users that is added to Users giving access to the local machine if using default permissions.

 

Thanks

0 Replies