cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Provide ability to Use Group Managed Services Account (gMSA) for Monitoring Nodes

Provide ability to Use Group Managed Services Account (gMSA) for Monitoring Nodes

WE CAN USE GMSA ACCOUNT IN SOLARWINDS TO MONITOR THE WMI BOX talked about this same topic and stated that Support said they had created a Feature Request for it.  I opened a case and talked to Support about this and they could not find such a Feature Request but one was now created under case 00429335.

In our case, we have been looking at ways to tighten security within our environment and one is to enforce the changing of passwords more often including on admin level accounts.  Some of the accounts we use for monitoring are admin accounts which would make maintaining access to the monitored Nodes an administrative nightmare.  In some cases we will be deploying Agents, which will eliminate the need for admin access to the Nodes for monitoring, but in others, we are still working on a solution.

One solution is using a gMSA account (read more about these at Microsoft's Group Managed Services Account Overview page).  However SolarWinds Orion modules do not yet support this ability.  This Feature Request is an opportunity for the customer community to push the implementation of this ability forward.

4 Comments
Product Manager
Product Manager

My understanding of Group Managed Service accounts is that these can only be used by Windows services. These are not accounts which can be used to login to a machine, or connect remotely to one via WMI, etc. GMSA accounts were created to allow a distributed application a secure method of running under the same user context in Windows. These are not 'service' accounts in the sense that these are accounts used to sevice and monitor the machine. Again, if my understanding is mistaken, please let me know.

Level 7

gMSA is definitely not restricted to Windows-centric services; IIS application pools, task scheduler, and even third-party products can use them.  In fact, our AD backup product was setup to run in the context of the gMSA, and we only needed to add the gMSA account to Backup Operators on the DCs.  SAM would be an ideal candidate if you allow a ‘blank” password in the wizard, and the product knows how to retrieve the credentials of the gMSA.  Then, you could tier your monitoring accounts with passwords that auto-rotate and are not needed by the human operators—just requires that the gMSAs belong to the correct Windows groups on the monitored assets.

We definitely want full gMSA support as well.

Level 11

@aLTeReGo, Group Managed Service accounts are currently a security mandate to interact with Microsoft SQL  in most secure organization where passwords auto-rotate policy is in active. 

We also looking forward for a solution from Solarwinds to utilize - gMSA for Solarwinds platform to interact with Solarwinds Orion Database rather using typical Sql or window account.

 

 

Product Manager
Product Manager

Thank you @dhinagar_j. I have logged this as a feature request and am tracking it internally under CORE-14256.