Group Managed Service Account (gMSA) Overview and Security

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/14

flashcard set

Earn XP

Description and Tags

Flashcards covering the definition, administration, and security vulnerabilities of Group Managed Service Accounts (gMSAs) within Active Directory.

Last updated 7:58 PM on 5/28/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

15 Terms

1
New cards

Group Managed Service Account (gMSA)

An account managed by Active Directory that provides automatic password management, simplified administration, and support for multiple hosts.

2
New cards

Automatic password management

A feature where passwords for gMSAs are changed automatically by Active Directory every 30 days by default.

3
New cards

Key Distribution Service (KDS) root key

A key created in Active Directory (one per forest) that helps generate unique passwords for gMSAs.

4
New cards

New-ADServiceAccount

The PowerShell command used by administrators to create a gMSA object in Active Directory.

5
New cards

PrincipalsAllowedToRetrieveManagedPassword

A property that lists the specific computers or principals authorized to retrieve and use a gMSA's randomly generated password.

6
New cards

ReadGMSAPassword (BloodHound)

An abuse case identified in BloodHound that occurs when an attacker controls an object with sufficient permissions in the target gMSA's msDS-GroupMSAMembership attribute's DACL.

7
New cards

bloodyAD.py

A tool used by attackers to get object attributes like msDS-ManagedPassword or to change passwords in Active Directory.

8
New cards

Set-DomainUserPassword

A command from the PowerView module used to change the password of a target user identity.

9
New cards

msDS-ManagedPassword

The Active Directory attribute where the gMSA password information is stored.

10
New cards

gmsapasswordreader.exe

A tool used to retrieve gMSA passwords, allowing an attacker to use the resulting NT hash for techniques like pass-the-hash.

11
New cards

Set-AdServiceAccount

A command used to configure gMSA properties, such as granting a specific user permission to read the account password.

12
New cards

Find-InterestingDomainAcl

A PowerView command used to searching for Access Control Entries (ACEs) where specific groups, like gMSA_Managers, have interesting permissions on domain objects.

13
New cards

LSA/LSASS

Local system components from which an authorized host can retrieve a gMSA's plaintext password; if compromised, an attacker can dump these to gain the credentials.

14
New cards

Silver Ticket

A forged Kerberos ticket an attacker may create if they can extract Kerberos key material from memory on a host.

15
New cards

DCSync

A high-privilege attack used to read Active Directory secrets; if an attacker can perform this, the security risk extends beyond a single gMSA.