Create a gMSA for use with SharpHound Enterprise

This article applies to BHE

Group Managed Service Accounts (gMSA) are managed domain accounts that provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other objects.

Detailed software requirements from Microsoft are available here.

Microsoft gMSA documentation is available here.

Prepare the domain

  1. Log into a domain controller within the domain you want to create a GMSA.

  2. Run the following to validate whether the domain has a KDS Root Key configured:
  3. If already configured (as seen below), skip this step:

    Otherwise, create the KDS Root Key:
    Add-KdsRootKey -EffectiveImmediately

Create the gMSA and password read group

Perform the following steps from/against a writeable Domain Controller.

  1. Create a gMSA password read group for computers that should have access to the gMSA password. The SharpHound Enterprise server will later be added to this group.

    Browse to the desired location in Users and Computers and create the group.
    Alternatively, use the following following template to create the group using PowerShell:
    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $pwdReadOUDN = "<DISGINGUISHED_NAME>" # Distinguished Name of OU to create the password read group in

    New-ADGroup `
    -Name "$($gmsaName)_pwdRead" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path $pwdReadOUDN `
    -Description "This group grants the rights to retrieve the password of the BloodHound Enterprise data collector (SharpHound Enterprise) gMSA '$gmsaName'." `

  2. Add the SharpHound Enterprise server as a member of the gMSA password read group, which allows it to access the password of the gMSA and run the service.

    You can add the computer to the group in Users and Computers.
    Alternatively, use the following following template to add group membership using PowerShell:
    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $shServerDN = "<DISGINGUISHED_NAME>" # Distinguished Name of the SharpHound Enterprise server

    Add-ADGroupMember `
    -Identity "$($gmsaName)_pwdRead" `
    -Members $shServerDN `

  3. Create the gMSA and allow the password read group to retrieve it's password.

    Use the following following template to create the gMSA and set the retrieve right using PowerShell:
    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $gmsaOUDN = "<DISGINGUISHED_NAME>" # Distinguished Name of OU to create the gMSA in

    New-ADServiceAccount -Name $gmsaName `
    -Description "SharpHound Enterprise service account for BloodHound Enterprise" `
    -DNSHostName "$($gmsaName).$((Get-ADDomain).DNSRoot)" `
    -ManagedPasswordIntervalInDays 32 `
    -PrincipalsAllowedToRetrieveManagedPassword "$($gmsaName)_pwdRead" `
    -Enabled $True `
    -AccountNotDelegated $True `
    -KerberosEncryptionType AES128,AES256 `
    -Path $gmsaOUDN `

    NB: If the error "New-ADServiceAccount : Key does not exist" shows, try again in 10 hours which will allow all Domain Controllers to converge AD replication of the KDS root key.

Prepare the SharpHound Enterprise server

  1. Restart the SharpHound Enterprise server so that the server's membership of the `pwdRead` group takes effect.

  2. Add the gMSA to the local Administrators group on the SharpHound Enterpriseserver. This can for example be done through `lusrmgr.msc`, or policy deployment methods like a GPO.

  3. Optional: Test that the SharpHound Enterprise server can retrieve the gMSA password, see Test the gMSA (optional)
  4. The gMSA is now ready to be used on the SharpHound Enterprise server. Follow Install and Upgrade SharpHound Enterprise to complete the installation of the SharpHound Enterprise service.

Test the gMSA (optional)

  1. Check the status of the RSAT PowerShell module. On the SharpHound Enterprise server, open a PowerShell as an Administrator and run:
    Get-WindowsCapability -Name RSAT*
    If the Install State shows "Installed" then skip to step 2, otherwise run:
    Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

  2. In the elevated PowerShell, test that the SharpHound server can retrieve the gMSA password by running:
    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA

    Test-ADServiceAccount -Identity $gmsaName

  3. The test is successful of the command responds with "True"

Add the gMSA to the SharpHound Enterprise service

Change the SharpHound Enterprise service to be run by the created gMSA. This can be done in two ways:

Using Services GUI / 'services.msc'

  1. Open the Services application / 'services.msc' as a local administrator

  2. Open properties of the service: SharpHoundDelegator

  3. In the Log On tab; set This account to be the gMSA

  4. Delete the contents of the password fields if present

  5. Save by clicking OK

Using command line / 'sc.exe'

  1. Open command prompt/PowerShell as a local administrator

  2. Run the following command, replacing 'DOMAIN' and the gMSA name to match your environment
    sc.exe config SHDelegator obj= "DOMAIN\t0_gMSA_SHS$"