The gMSA (Group Managed Service Accounts) support automates password management, reducing manual effort and enhancing security by handling password rotation and eliminating manual entry.

In the past, when the installer prompted for user credentials to run the services with gMSA option selected, the password fields were disabled because the operating system managed the credentials.

Automation 360 now supports Group Managed Service Accounts (gMSA) for Windows authentication in Control Room services. This integration enables these services to use gMSA for database authentication, aligning with enterprise identity management practices and minimizing the need for manual credential configuration.

With this feature, you can now ensure seamless Windows authentication with gMSA to eliminate manual password entry by leveraging automatic credential management. This eliminates the requirement for interactive logging in thereby adhering to compliance and security standards.

You must select Use a Group Managed Service Account option for this authentication while setting up your Control Room.installation authentication screen

  1. Log in as coreadmin using powershell.
  2. Run the following commands to create the gMSA account (gmsa01$) and allow client machines to retrieve its password:
    Get-KdsRootKey
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
New-ADServiceAccount -Name gmsa01 -DNSHostName server-01.samenterprise.test -PrincipalsAllowedToRetrieveManagedPassword EC2AMAZ-0000000$
    For allowing this option on multiple machines, use the command:New-ADServiceAccount -Name gmsa01 -DNSHostName server-01.samenterprise.test -PrincipalsAllowedToRetrieveManagedPassword @('EC2AMAZ-0000000
    #39;, 'EC2AMAZ-1111111
    #39;)
  3. Verify gMSA account creation and permissions, by using the Get-ADServiceAccount -Identity "gmsa01" -Properties * command. The output should be True.
  4. Ensure that the PrincipalsAllowedToRetrieveManagedPassword property includes the required client machines. Example: 
    PrincipalsAllowedToRetrieveManagedPassword : {CN=EC2AMAZ-0000000,CN=Computers,DC=samenterprise,DC=test, CN=EC2AMAZ-1111111,CN=Computers,DC=samenterprise,DC=test}
  5. Check if gMSA is installed correctly by using the following command. (output should be True):Test-ADServiceAccount -Identity "gmsa01
    quot;
    Note: To install gMSA on client machines, repeat steps 1-3 steps and configure the database by adding the gmsa01 user and assigning the sysadmin role.
To configure gMSA on Control Room virtual machines, navigate to Administration > Security Settings > Local Policies > User Rights Assignment > Local System Account and ensure that gMSA (example SAMENTERPRISE\gmsa02$) is listed.
Note: You must grant Administrator privileges to the gMSA account in the Control Room VM.

For information on silent installation, see Instalação do Control Room em Microsoft Windows Server usando scripts.