> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a gMSA for Use With SharpHound Enterprise

export const word_0 = "Enterprise"

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=b682a26b342bde12302ec829e265bdb6" alt="Applies to BloodHound Enterprise only" width="225" height="45" data-path="assets/enterprise-edition-pill-tag.svg" />

This page describes how to configure and run the SharpHound Enterprise collection tool using an Active Directory gMSA.

<Tip>To learn how to do this with SharpHound Community Edition, see [Create a gMSA for Use With SharpHound Community Edition](/collect-data/ce-collection/create-gmsa-community-edition).</Tip>

## Overview of gMSAs

Group Managed Service Accounts (gMSA) are managed domain accounts that provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other objects.

Detailed software requirements from Microsoft are available [here](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831782\(v=ws.11\)#software-requirements).

Microsoft gMSA documentation is available [here](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831782\(v=ws.11\)).

## Create a gMSA account

To create a gMSA account, start by preparing the domain.

1. Log into a domain controller within the domain you want to create a gMSA.

2. To validate whether the domain has a KDS Root Key configured, run:

   ```
   Get-KdsRootKey
   ```

   If there's no result returned, the KDS Root Key has not been configured in the domain. Continue on to step 3.

   If there is a result returned, the KDS Root Key has already been configured in the domain. Skip step 3 and move on to [Create the gMSA and password read group](#create-the-gmsa-and-password-read-group).

   <Frame>
     <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-88.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=336e25c181b45885e07bbdb6bbbbbaf1" alt="" width="904" height="418" data-path="assets/image-88.png" />
   </Frame>

3. Create the KDS Root Key.

   For a production environment, run:

   ```
   Add-KdsRootKey -EffectiveImmediately
   ```

   <Frame>
     <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-89.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=f62b4eb3f4f7ef59238528ea0555bd50" alt="" width="658" height="272" data-path="assets/image-89.png" />
   </Frame>

   For a test environment, make the key available for immediate use by running:

   ```
   Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))  
   ```

## Create the gMSA and password read group

Perform these steps from/against a writeable Domain Controller.

1. Create a gMSA password read group for computers that should have access to the gMSA password.

   Browse to the desired location in Users and Computers and create the group.
   Alternatively, use this template to create the group using PowerShell:

```json theme={null}
    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $pwdReadOUDN = "&lt;DISGINGUISHED_NAME&gt;" # Distinguished Name of OU to create the password read group in

    New-ADGroup `
    -Name "$($gmsaName)_pwdRead" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path $pwdReadOUDN `
    -Description "This group grants the rights to retrieve the password of the BloodHound data collector (SharpHound) gMSA '$gmsaName'." `
    -PassThru
```

<Frame>
  <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-90.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=bf723d27dd1d121147ef90d42e705cb0" alt="" width="884" height="327" data-path="assets/image-90.png" />
</Frame>

2. Add the SharpHound {word_0} server that performs the Sharphound collections as a member of the gMSA password read group. This allows it to access the password of the gMSA and run the service.

   Add the computer to the group in Users and Computers.
   Alternatively, use this template to add group membership using PowerShell:

   ```json theme={null}
       $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
       $shServerDN = "&lt;DISGINGUISHED_NAME&gt;" # Distinguished Name of the SharpHound Enterprise server

       Add-ADGroupMember `
       -Identity "$($gmsaName)_pwdRead" `
       -Members $shServerDN `
       -PassThru
   ```

   <Frame>
     <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-91.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=7d534c83d27dfbd4b4808c22acd2a851" alt="" width="868" height="262" data-path="assets/image-91.png" />
   </Frame>

   When viewing the changes on a Windows server with the GUI enabled, you can see the OUs and the t0\_gMSA\_SHS\_pwdRead group you created.

3. Create the gMSA and allow the password read group to retrieve its password.

   On a Domain Controller, use this template to create the gMSA and set the retrieve right using PowerShell:

   ```json theme={null}
       $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
       $gmsaOUDN = "&lt;DISGINGUISHED_NAME&gt;" # Distinguished Name of OU to create the gMSA in

       New-ADServiceAccount -Name $gmsaName `
       -Description "SharpHound service account for BloodHound" `
       -DNSHostName "$($gmsaName).$((Get-ADDomain).DNSRoot)" `
       -ManagedPasswordIntervalInDays 32 `
       -PrincipalsAllowedToRetrieveManagedPassword "$($gmsaName)_pwdRead" `
       -Enabled $True `
       -AccountNotDelegated $True `
       -KerberosEncryptionType AES128,AES256 `
       -Path $gmsaOUDN `
       -PassThru
   ```

   <Tip>If you receive the error `"_New-ADServiceAccount : Key does not exist_"`, try again in 10 hours. This allows all Domain Controllers to converge AD replication of the KDS root key.</Tip>

   <Frame>
     <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-92.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=2b19562951385fa3074a378fbe6a0c97" alt="" width="874" height="357" data-path="assets/image-92.png" />
   </Frame>

## Prepare the SharpHound {word_0} server

1. Restart the SharpHound Enterprise server so that the server's membership of the \`pwdRead\` group takes effect.
2. Grant the gMSA the "Log on as a service" User Rights Assignment on the SharpHound {word_0} server. This can be done through \`secpol.msc\` or policy deployment methods like a GPO.
3. (Optional) Test that the SharpHound {word_0} server can retrieve the gMSA password. See [Test the gMSA](#test-the-gmsa).

## Test the gMSA

Optionally test the gMSA server to make sure that the gMSA is working.

1. Check the status of the RSAT PowerShell module. On the SharpHound Enterprise server, open a PowerShell as an Administrator and run:

   ```json theme={null}
   Get-WindowsCapability -Name RSAT*
   ```

   <Frame>
     <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-93.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=ee24689c085fb0f6ac1a68e892d78373" alt="" width="904" height="120" data-path="assets/image-93.png" />
   </Frame>

   If the Install State shows "Installed", skip to step 2, otherwise run:

   ```
   Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
   ```

   <Frame>
     <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-94.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=de2a83b4a483e0c80d32cfe4c2c25004" alt="" width="902" height="170" data-path="assets/image-94.png" />
   </Frame>

2. In the elevated PowerShell, test that the SharpHound server can retrieve the gMSA password by running:

   ```json theme={null}
       $gmsaName = "t0_gMSA_SHS" # Name of the gMSA

       Test-ADServiceAccount -Identity $gmsaName
   ```

   <Frame>
     <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-95.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=4ca5d7fe1413654e9d7a08b4f8f84ce0" alt="" width="514" height="68" data-path="assets/image-95.png" />
   </Frame>

The test is successful if the command responds with `True`.

The gMSA is now ready to be used on the SharpHound Enterprise server. Follow [Install and Upgrade SharpHound Enterprise](/install-data-collector/install-sharphound/installation-upgrade) to complete the installation of the SharpHound Enterprise service.

## Add the gMSA to the SharpHound Enterprise service

Change the SharpHound Enterprise service to be run by the created gMSA. This can be done in two ways:

### Using Services GUI / 'services.msc'

1. Open the Services application / 'services.msc' as a local administrator.
2. Open properties of the service: **SharpHoundDelegator**.
3. In the **Log On** tab, set **This account** to be the gMSA.
4. Delete the contents of the password fields if present.
5. Save by clicking **OK**.

<Frame>
  <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-96.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=0a294bfe37f40098ee5775ce4288ec5e" alt="" width="406" height="468" data-path="assets/image-96.png" />
</Frame>

### Using command line / 'sc.exe'

1. Open the command prompt/PowerShell as a local administrator.

2. Run the following command, replacing the 'DOMAIN' and gMSA name to match your environment.

```
    sc.exe config SHDelegator obj= "DOMAIN\\t0_gMSA_SHS$"
```

<Frame>
  <img src="https://mintcdn.com/specterops/oaqTTRoKDVQ7JntM/assets/image-97.png?fit=max&auto=format&n=oaqTTRoKDVQ7JntM&q=85&s=c30c62daf3361c230290ff1565e9195f" alt="" width="617" height="86" data-path="assets/image-97.png" />
</Frame>