Showing results for 
Show  only  | Search instead for 
Did you mean: 

GMSA (managed service accounts) with Trellix ePO

Is it possible to use GMSA with Trellix ePO in cases like LDAP accounts and SQL Server accounts. If so, is there any documentation from Trellix on how those would be used? Thanks!
2 Replies
Report Inappropriate Content
Message 2 of 3

Re: GMSA (managed service accounts) with Trellix ePO

We do not have any documentation on that, but from this response from development on the use of them for epo, it doesn't seem like that will work.

 *Managed Service Accounts* A Managed Service Account (MSA) is a type of domain account created and managed by the domain controller. It is assigned to a single-member computer for use running a service. The password is managed automatically by the domain controller. You cannot use an MSA to log into a computer, but a computer can use an MSA to start a Windows service. An MSA has the ability to register Service Principal Name (SPN) with the Active Directory. An MSA is named with a *$* suffix, for example, *DOMAIN\ACCOUNTNAME$*. When specifying an MSA, leave the password blank. Because an MSA is assigned to a single computer, it cannot be used on different nodes of a Windows cluster.   Technically this would mean that an EPO with multiple remote AH cannot leverage a single MSA account to login into the database since an MSA can be associated with only one computer.  

Unless Microsoft has changed the way that works, I don't see that working.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Level 7
Report Inappropriate Content
Message 3 of 3

Re: GMSA (managed service accounts) with Trellix ePO


Just to share what I learn if it can help you,

I successfully deployed gMSA for MSQL, used by the ePO.

You just need 3 gMSA:

- gMSA for SQLServer service account that will replace NT SERVICE\MSSQLSERVER service account

- gMSA for SQLServerAgent service account that will replace NT SERVICE\SQLSERVERAGENT service account

- gMSA for SQLTelemetry service account that will replace NT SERVICE\SQLTELEMETRY service account


Then you just need to give the same permissions than the local services account and the ePO will works as usual.




The Trellix agents installed on the client computers does not need a gMSA because all MacAffee Services runs with Local System account or Local Service account.



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community