Group Managed Service Accounts Overview

Group Managed Service Accounts Overview | Microsoft Learn

Domain user account
If the service interacts with network services or accesses domain resources like file shares on other computers, consider using a minimally-privileged domain account. A domain administrator must create the account before the AFService can be configured to use the account.


Local user account
If the computer is not part of a domain, a local user account can be used. We recommend that the account not have administrator permissions.


Local Service account
The Local Service account is a built-in low-privilege account. Its limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials (anonymous). For service creation, the actual name of the account is NT AUTHORITY\LocalService . For controlling access to local files or other securable objects, the account name is Local Service.


Network Service account
The Network Service account is a built-in low-privilege account. Services that run as the Network Service account access network resources by using the credentials of the computer account. For service creation, the actual name of the account is NT AUTHORITY\NetworkService. For controlling access to local files or other securable objects, the account name is Network Service.

Virtual accounts
A virtual account has the same privileges as the built-in Network Service account. The difference is that a virtual account is specific to one service but multiple services can share the Network Service account. Therefore, a virtual account can have finer granularity of access control for local resources (like files and folders) than the Network Service account. On Windows versions that support virtual accounts, virtual accounts are preferable to the Network Service or Local Service account for interface services. For service creation, the actual name of the account is NT SERVICE\servicename, where servicename is the name of the application it represents (for example, AFService for the PI AF Server or PIAnalysisManager for PI Analysis Service). Virtual accounts are available for Windows 7 and Windows Server 2008 R2 and later.

Managed Service Account
A Managed Service Account (MSA) is a type of service account that can be associated with services on individual machines. A Managed Service Account is a domain account, and it must be created by a domain administrator. The advantage of an MSA over a user domain account is that the MSA cannot be used to log into a machine, it must have rotating passwords that are managed by the domain, and it cannot be locked out. An MSA applies to a single computer account. Managed Service Accounts are available for Windows 7 and Windows Server 2008 R2 and later.


Group Managed Service Account
A Group Managed Service Account (gMSA) is a type of service account that can be associated with services on multiple machines. A gMSA is a domain account, and it must be created by a domain administrator. The gMSA extends the functionality of the MSA to cover multiple computer accounts. The gMSA can be very useful for clustered SQL Servers environments. Group Managed Service Accounts are available for Windows Server 2012 and later.

MSA IIS

Using Group Managed Service Accounts with IIS 10 on Server 2016 | Hans Stanglmayr (wordpress.com)

Use this GroupServiceManaged Account and append “$” to the name and leave password empty

Use this Account for a web application.