HowTo: Retrieving gMSA Password Details

Group Managed Service Account provide accounts that automatically manage password changes, for more details see this article.

This article covers how to use NetTools to view the details of the Group Managed Service Accounts (gMSA) and also view the current and previous password for the accounts.  The gMSAs are stored in the domain partition in the Managed Service Accounts OU.   The Easiest way to retrieve the password is to use the AD Properties dialog, which allows you to copy the password to the clipboard, however to be able to view the password the account retrieving the password must be specified in the msDS-GroupMSAMembership attrtibute of the Group Managed Service Accoount.

The details in the Password section of the dialog are stored in the msDS-ManagedPassword and msDS-ManagedPasswordId attributes of the object, these can be returned in LDAP Search, however, it does require a specific setup of LDAP Search to return the details as they are protected attributes.

If you create a basic LDAP query you will receive the following error:

In order to retrieve the password details the connection must be encrypted for the attribute details to be return. To encrypt the connection you must use the LDAP Session Options to enable encryption.  The screenshot below shows the steps to complete the configuration.

      1. Click on the Session Options buttons at the end of the server field
      2. Check the tick box for the LDAP_OPT_ENCRYPT option
      3. Double click on the item to configure the option
      4. Change the setting to On and click OK and close the Session Options dialog

Once the Session Option are configured and encryption is enabled on the connection the details of the attribute are returned.