From ac4202f77360c142a738516ef67dd2fee49447e8 Mon Sep 17 00:00:00 2001 From: Will Aftring Date: Tue, 9 Dec 2025 16:32:40 -0500 Subject: [PATCH 1/2] Update manage-group-managed-service-accounts.md --- .../manage-group-managed-service-accounts.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md b/WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md index 11b07d8336..06088b4720 100644 --- a/WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md +++ b/WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md @@ -66,6 +66,8 @@ For Kerberos authentication to work with services using gMSAs, the following are - All systems involved in the authentication process must have synchronized clocks. Kerberos is sensitive to time configuration, and discrepancies can cause authentication failures. +- All systems that are intended to logon as, or be installed with a gMSA must support Kerberos encryption types required by gMSA. Systems that do not meet this requirement cannot log on or install gMSA. + If you're managing AD from a computer that isn't a domain controller, install the Remote Server Administration Tools (RSAT) to access the necessary management features. RSAT provides the AD module for PowerShell. After installing RSAT, open PowerShell as an administrator and run `Import-Module ActiveDirectory` to enable AD management cmdlets. This allows administrators to manage AD remotely and securely, minimizing the load on domain controllers. ### Create a gMSA From 9a744d660bf226ceb2287788a4439a5618f62fd8 Mon Sep 17 00:00:00 2001 From: Diana Richards Date: Tue, 9 Dec 2025 16:01:05 -0600 Subject: [PATCH 2/2] Update WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../manage-group-managed-service-accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md b/WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md index 06088b4720..1259d2b500 100644 --- a/WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md +++ b/WindowsServerDocs/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts.md @@ -66,7 +66,7 @@ For Kerberos authentication to work with services using gMSAs, the following are - All systems involved in the authentication process must have synchronized clocks. Kerberos is sensitive to time configuration, and discrepancies can cause authentication failures. -- All systems that are intended to logon as, or be installed with a gMSA must support Kerberos encryption types required by gMSA. Systems that do not meet this requirement cannot log on or install gMSA. +- All systems that are intended to log on as, or be installed with a gMSA must support Kerberos encryption types required by gMSA. Systems that do not meet this requirement cannot log on or install gMSA. If you're managing AD from a computer that isn't a domain controller, install the Remote Server Administration Tools (RSAT) to access the necessary management features. RSAT provides the AD module for PowerShell. After installing RSAT, open PowerShell as an administrator and run `Import-Module ActiveDirectory` to enable AD management cmdlets. This allows administrators to manage AD remotely and securely, minimizing the load on domain controllers.