Create a gMSA for use with SharpHound Enterprise

  • Updated

This article applies to BHE

Group Managed Service Accounts (gMSA) are managed domain accounts that provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other objects.

Detailed software requirements from Microsoft are available here.

Microsoft gMSA documentation is available here.

Prepare the domain

  1. Log into a domain controller within the domain you want to create a GMSA.
  2. Run the following to validate whether the domain has a KDS Root Key configured:
    Get-KdsRootKey
  3. If already configured (as seen below), skip this step:
    mceclip0.png

    Otherwise, create the KDS Root Key:
    Add-KdsRootKey -EffectiveImmediately
    mceclip2.png

Create the gMSA and password read group

Perform the following steps from/against a writeable Domain Controller.

  1. Create a gMSA password read group for computers that should have access to the gMSA password. The SharpHound Enterprise server will later be added to this group.

    Browse to the desired location in Users and Computers and create the group.
    Alternatively, use the following following template to create the group using PowerShell:
    $gmsaName = "t0_gMSA_SHS"

    New-ADGroup `
    -Name "$($gmsaName)_pwdRead" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "<DistinguishedName group OU location>" `
    -Description "This group grants the rights to retrieve the password of the BloodHound Enterprise data collector (SharpHound) gMSA '$gmsaName'." `
    -PassThru
  2. Add the SharpHound server as a member of the gMSA password read group, which allows it to access the password of the gMSA and run the service.

    You can add the computer to the group in Users and Computers.
    Alternatively, use the following following template to add group membership using PowerShell:
    $gmsaName = "t0_gMSA_SHS"

    Add-ADGroupMember `
    -Identity "$($gmsaName)_pwdRead" `
    -Members "<DistinguishedName of SharpHound server>" `
    -PassThru
  3. Create the gMSA and allow the password read group to retrieve it's password.

    Use the following following template to create the gMSA and set the retrieve right using PowerShell:
    $gmsaName = "t0_gMSA_SHS"

    New-ADServiceAccount -Name $gmsaName `
    -Description "SharpHound service account for BloodHound Enterprise" `
    -DNSHostName "$($gmsaName).$((Get-ADDomain).DNSRoot)" `
    -ManagedPasswordIntervalInDays 32 `
    -PrincipalsAllowedToRetrieveManagedPassword "$($gmsaName)_pwdRead" `
    -Enabled $True `
    -AccountNotDelegated $True `
    -KerberosEncryptionType AES128,AES256 `
    -Path "<DistinguishedName of gMSA OU location>" `
    -PassThru

Prepare the SharpHound server

  1. Restart the SharpHound server so that the server's membership of the `pwdRead` group takes effect.
  2. Add the gMSA to the local Administrators group on the SharpHound server. This can for example be done through `lusrmgr.msc`, or policy deployment methods like a GPO.
  3. Optional: Test that the SharpHound server can retrieve the gMSA password, see Test the gMSA (optional)
  4. The gMSA is now ready to be used on the SharpHound server. Follow Install and Upgrade SharpHound Enterprise to complete the installation of the SharpHound Enterprise service.

Test the gMSA (optional)

  1. Check the status of the RSAT PowerShell module. On the SharpHound server, open a PowerShell as an Administrator and run: 
    Get-WindowsFeature RSAT-AD-PowerShell
    mceclip4.png
    If the Install State shows "Installed" then skip to step 2, otherwise run: 
    Install-WindowsFeature RSAT-AD-PowerShell
    mceclip5.png
  2. In the elevated PowerShell, test that the SharpHound server can retrieve the gMSA password by running: 
    $gmsaName = "t0_gMSA_SHS"

    Test-ADServiceAccount -Identity $gmsaName
    mceclip7.png
  3. The test is successful of the command responds with "True"

Add the gMSA to the SharpHound Enterprise service

Change the SharpHound service to be run by the created gMSA. This can be done in two ways:

Using command line / 'services.msc'

  1. Open the Services application / 'services.msc' as a local administrator
  2. Open properties of the service: SharpHoundDelegator
  3. In the Log On tab; set This account to be the gMSA
  4. Delete the contents of the password fields if present
  5. Save by clicking OK

Using command line / 'sc.exe'

  1. Open command prompt/PowerShell as a local administrator
  2. Run the following command, replacing 'DOMAIN' and the gMSA name to match your environment 
    sc.exe config SHDelegator obj= "DOMAIN\t0_gMSA_SHS$"