Applies to BloodHound Enterprise only

This page describes how to configure and run the SharpHound Enterprise collection tool using an Active Directory gMSA.

To learn how to do this with SharpHound Community Edition, see Create a gMSA for Use With SharpHound Community Edition.

Overview of gMSAs

Group Managed Service Accounts (gMSA) are managed domain accounts that provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other objects.

Detailed software requirements from Microsoft are available here.

Microsoft gMSA documentation is available here.

Create a gMSA account

To create a gMSA account, start by preparing the domain.

  1. Log into a domain controller within the domain you want to create a gMSA.

  2. To validate whether the domain has a KDS Root Key configured, run:

    Get-KdsRootKey

    If there’s no result returned, the KDS Root Key has not been configured in the domain. Continue on to step 3.

    If there is a result returned, the KDS Root Key has already been configured in the domain. Skip step 3 and move on to Create the gMSA and password read group.

  3. Create the KDS Root Key.

    For a production environment, run:

    Add-KdsRootKey -EffectiveImmediately

    For a test environment, make the key available for immediate use by running:

    Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

Create the gMSA and password read group

Perform these steps from/against a writeable Domain Controller.

  1. Create a gMSA password read group for computers that should have access to the gMSA password.

    Browse to the desired location in Users and Computers and create the group. Alternatively, use this template to create the group using PowerShell:

    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $pwdReadOUDN = "<DISGINGUISHED_NAME>" # Distinguished Name of OU to create the password read group in

    New-ADGroup `
    -Name "$($gmsaName)_pwdRead" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path $pwdReadOUDN `
    -Description "This group grants the rights to retrieve the password of the BloodHound data collector (SharpHound) gMSA '$gmsaName'." `
    -PassThru

  1. Add the SharpHound server that performs the Sharphound collections as a member of the gMSA password read group. This allows it to access the password of the gMSA and run the service.

    Add the computer to the group in Users and Computers. Alternatively, use this template to add group membership using PowerShell:

        $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $shServerDN = "<DISGINGUISHED_NAME>" # Distinguished Name of the SharpHound Enterprise server

    Add-ADGroupMember `
    -Identity "$($gmsaName)_pwdRead" `
    -Members $shServerDN `
    -PassThru

    When viewing the changes on a Windows server with the GUI enabled, you can see the OUs and the t0_gMSA_SHS_pwdRead group you created.

  2. Create the gMSA and allow the password read group to retrieve its password.

    On a Domain Controller, use this template to create the gMSA and set the retrieve right using PowerShell:

        $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $gmsaOUDN = "<DISGINGUISHED_NAME>" # Distinguished Name of OU to create the gMSA in

    New-ADServiceAccount -Name $gmsaName `
    -Description "SharpHound service account for BloodHound" `
    -DNSHostName "$($gmsaName).$((Get-ADDomain).DNSRoot)" `
    -ManagedPasswordIntervalInDays 32 `
    -PrincipalsAllowedToRetrieveManagedPassword "$($gmsaName)_pwdRead" `
    -Enabled $True `
    -AccountNotDelegated $True `
    -KerberosEncryptionType AES128,AES256 `
    -Path $gmsaOUDN `
    -PassThru
    If you receive the error "_New-ADServiceAccount : Key does not exist_", try again in 10 hours. This allows all Domain Controllers to converge AD replication of the KDS root key.

Prepare the SharpHound server

  1. Restart the SharpHound Enterprise server so that the server’s membership of the `pwdRead` group takes effect.
  2. Grant the gMSA the “Log on as a service” User Rights Assignment on the SharpHound server. This can be done through `secpol.msc` or policy deployment methods like a GPO.
  3. (Optional) Test that the SharpHound server can retrieve the gMSA password. See Test the gMSA.

Test the gMSA

Optionally test the gMSA server to make sure that the gMSA is working.

  1. Check the status of the RSAT PowerShell module. On the SharpHound Enterprise server, open a PowerShell as an Administrator and run:

    Get-WindowsCapability -Name RSAT*

    If the Install State shows “Installed”, skip to step 2, otherwise run:

    Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

  2. In the elevated PowerShell, test that the SharpHound server can retrieve the gMSA password by running:

        $gmsaName = "t0_gMSA_SHS" # Name of the gMSA

    Test-ADServiceAccount -Identity $gmsaName

The test is successful if the command responds with True.

The gMSA is now ready to be used on the SharpHound Enterprise server. Follow Install and Upgrade SharpHound Enterprise to complete the installation of the SharpHound Enterprise service.

Add the gMSA to the SharpHound Enterprise service

Change the SharpHound Enterprise service to be run by the created gMSA. This can be done in two ways:

Using Services GUI / ‘services.msc’

  1. Open the Services application / ‘services.msc’ as a local administrator.
  2. Open properties of the service: SharpHoundDelegator.
  3. In the Log On tab, set This account to be the gMSA.
  4. Delete the contents of the password fields if present.
  5. Save by clicking OK.

Using command line / ‘sc.exe’

  1. Open the command prompt/PowerShell as a local administrator.

  2. Run the following command, replacing the ‘DOMAIN’ and gMSA name to match your environment.

    sc.exe config SHDelegator obj= "DOMAIN\\t0_gMSA_SHS$"