This is the 'official' way to do this now according to Microsoft to avoid managing individual service account passwords. We should support it.
https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
Currently we monitor Windows Servers using (WMI/WinRM).
To monitor Windows Servers we need a dedicated Service Account
Local Admin
Domain User with Elevated Access
Domain Admin (Preferred)
We currently Monitor AD servers using (WMI/WinRM) using Domain Admin account. (Since microsoft only support Domain Admin accounts to be used to monitor Windows AD).
This is a security risk for the customer as they have to feed in Domain Admin Credentials for the AD server in Netreo.
Though these credentials are encrypted and saved in Netreo.
They are not automatically updated or life cycle managed.
So they need to manually enter them in Netreo, when they change. Typically in an enterprise environment. Customer tend to update Domain Admin account credentials every 3 months, this is a manual work and involves hard credential queries.
Recently(2~3 years ago) Microsoft suggested the path to use “MSA” or “gMSA” more recently as a methods to monitor Windows Servers.
Using this method, we won’t store the credentials locally in Netreo but use KDS exchange to authenticate via the gMSA account that has Domain Admin privileges to monitor the Windows Servers.
This reduces the risk from the customer POV as:
No credentials are stored in Netreo.
life cycle management of credentials wont be think as they are auto-managed on the AD side for the gMSA account.
Here are reference Microsoft Articles:
https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview