Group Managed Service Accounts - AWS Directory Service

Group Managed Service Accounts

With Windows Server 2012, Microsoft introduced a new method that administrators could use to manage service accounts called group Managed Service Accounts (gMSAs). Using gMSAs, service administrators no longer needed to manually manage password synchronization between service instances. Instead, an administrator could simply create a gMSA in Active Directory and then configure multiple service instances to use that single gMSA.

To grant permissions so users in AWS Managed Microsoft AD can create a gMSA, you must add their accounts as a member of the AWS Delegated Managed Service Account Administrators security group. By default, the Admin account is a member of this group. For more information about gMSAs, see Group Managed Service Accounts Overview on the Microsoft TechNet website.

Related AWS Security Blog post