Managed Service Accounts (gMSA & dMSA)
Group Managed Service Accounts eliminate the risk of forgotten service account passwords — AD auto-generates and rotates 120-character passwords, but attackers have found ways around this too.
Service accounts run background tasks like databases, web servers, and backup jobs. Traditionally, administrators set passwords on these accounts manually and often never change them — making them prime targets for Kerberoasting. Microsoft introduced Managed Service Accounts to fix this. A Group Managed Service Account (gMSA) is a special AD account type whose password is a 120-character random value that Active Directory generates and rotates automatically every 30 days. No human ever knows or types the password. Multiple servers can share a single gMSA. Delegated Managed Service Accounts (dMSA), introduced in Windows Server 2025, extend this concept with tighter host binding. Together, these account types make traditional Kerberoasting impractical because the password complexity makes offline cracking essentially impossible.
Imagine a building where human employees carry ID badges they chose themselves — some pick simple ones that are easy to copy. Managed Service Accounts are like replacing those humans with robots whose badges are generated by the security office: 120 random characters, changed every 30 days automatically. The robots never write down their password or share it. But if an attacker steals the badge-making machine itself (the KDS root key), they can manufacture badges for every robot in the building.
Key Takeaways
- gMSAs auto-rotate 120+ character passwords every 30 days — Kerberoasting is impractical against them.
- The KDS root key is the master secret — compromising it allows offline computation of all gMSA passwords.
- dMSAs (Server 2025) add host-binding via Credential Guard keys for stronger protection.
- Golden gMSA attack parallels Golden Ticket: one secret compromises all managed service accounts forest-wide.
- Always migrate legacy service accounts to gMSAs to eliminate password-based attack surface.
gMSAs are the single most effective mitigation against Kerberoasting, but they introduce their own attack surface through the KDS root key. Understanding both sides is essential for hardening service account infrastructure.