TLDR: Group Managed Service Accounts (gMSAs) are limited to the domain in which they are created. gMSAs are not reported by Get-ADUser.
Managed Service Accounts (MSAs) were introduced in Server 2008 R2 to allow for system managed password changes of service accounts. Group Managed Service Accounts were introduced in Server 2012 as an improvement to and remedy of some of the limitations of MSAs. IT Pro has a good article describing the differences. The starting point for implementation for gMSA is the Microsoft overview. This documentation, however, does not address the use of gMSAs across domains, nor does it detail the practical implications of Managed Service Accounts in reporting.
If you look at the documentation for msDS-GroupManagedServiceAccount, you will see it is a subclass of computer. Managed Service Accounts are created in AD with a SamAccountName followed by the dollar sign, ex: MYMSA$. The UserAccountControl (UAC) for a MSA is 1000, same as that for a workstation trust account: WORKSTATION_TRUST_ACCOUNT = 0x00001000. The implication of this is that Windows manages the password changes for MSAs in the same way as the password for a computer account. I suspect this explains the two issues I found in trying to use gMSAs from other domains in the same forest. Here is what I found:
- You cannot create an gMSA with Set-ADServiceAccount where the PrincipalsAllowedToRetrieveManagedPassword are outside of the domain of the gMSA.
- You can use a universal security group of computer accounts inside and outside of the domain. If you are running a script from a network share, be sure that the computer with the script is in this group.
- You cannot use Install-ADServiceAccount for accounts outside of the domain of the computer where you want to install the gMSA.
Because these accounts are a subclass of the computer class, if you are using Get-ADUser or LDAP queries to list the active service accounts in your AD domain, they will not appear with other user accounts. This may force you to use an inefficient unindexed query of (ObjectClass=User) instead of &((ObjectClass=User)(ObjectCategory=Person)).
Finally the AD properties page in both ADUC and ADAC are useless for Managed Service Accounts. You will either need to look at the attribute editor or use Get-ADServiceAccount to see the properties of these accounts.