> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/server/knowledge-base/how-to-articles/configure-a-group-managed-service-account-for-use-with-devolutions-server.md).

# Configure a Group Managed Service Account for use with Devolutions Server

This article contains the steps to set up a Group Managed Service Account (gMSA) with Devolutions Server. This is only possible for Windows operating systems.

The environment values in this guide (e.g., `dvls01.domain.local`) are placeholders, replace them with the specific values of your environment.

1. Create a KDS Root Key. Do this on the Domain Controller if this is your first time using gMSA.

   ```
   Add-KdsRootKey –EffectiveTime ((Get-Date).AddHours(-10))
   ```
2. Create an Active Directory group for Devolutions Server authorized hosts.

   ```
   New-ADGroup -Name "DVLS Authorized Hosts" -SamAccountName "DVLSHosts" -GroupScope DomainLocal
   ```
3. Create a gMSA on the Domain Controller.

   ```
   New-ADServiceAccount -Name "DVLS_Runner" -DnsHostName "dvls01.domain.local"
   -ServicePrincipalNames "http/DVLS_Runner.domain.local" `
   -PrincipalsAllowedToRetrieveManagedPassword "DVLSHosts"

   New-ADServiceAccount -Name "DVLS_Sched" -DnsHostName "dvls01.domain.local"
   -ServicePrincipalNames "sched/DVLS_Sched.domain.local" `
   -PrincipalsAllowedToRetrieveManagedPassword "DVLSHosts"
   ```
4. Add gMSAs to the domain group.

   ```
   Add-ADGroupMember -Identity "DVLSHosts" -Members "DVLS_Runner$"
   Add-ADGroupMember -Identity "DVLSHosts" -Members "DVLS_Sched$"
   ```
5. Add the DVLS01 computer account to the DVLSHosts group. The computers will need to be restarted after this step; you can do so via Active Directory’s ***Users and Computers*** or by using PowerShell.
6. On DVLS01, install the gMSAs. Active Directory PowerShell module is required.

   ```
   Install-ADServiceAccount DVLS_Runner
   Install-ADServiceAccount DVLS_Sched
   ```
7. Configure the IIS Application Pool to run as `domain.local\DVLS_Runner$`. Grant Batch Logon Rights: Either assign ***Log on as a batch job*** in ***Group Policy*** or add the `DVLS_Runner$` account to the IIS\_IUSRS group.

   The password fields will remain blank, which is expected behavior for a gMSA.<br>
8. Configure Devolutions' [Scheduler service](https://docs.devolutions.net/server/devolutions-server-console/#scheduler-service):

   * Open Windows’ Services Console (services.msc).
   * Right-click on ***DevolutionsSchedulerService***, and click ***Properties*** – ***Log On*** tab.
   * Check ***This Account***, and enter `domain.local\DVLS_Sched$`.
   * Click on ***Browse*** to find the account.
   * Leave the password fields blank.

   The ***Log on as a service*** permission is granted automatically for gMSAs.
9. Grant permissions to the database in [Devolutions Server Console](https://docs.devolutions.net/server/devolutions-server-console/).
   * Navigate to ***Administration*** – ***Edit*** – ***Database*** – ***Advanced credentials***.
   * Enable ***Apply least permissions***.
   * Set the `DVLS_Runner$` and `DVLS_Sched$` accounts in their respective fields.
10. Restart DVLS01, confirm that the app pool and scheduler start correctly, and ensure the Devolutions Server web interface and background jobs are working properly.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/server/knowledge-base/how-to-articles/configure-a-group-managed-service-account-for-use-with-devolutions-server.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.