Apr 06 2017

Windows Managed Service Accounts

Published by at 11:09 pm under Windows

Managed service accounts appeared with Windows 2008 R2 Server. MSA provide a dedicated account for each service without the hassle of managing password assignment or reset; less management, more security.
However, an account can only be used on one server.
Setting up a service account is done in 2 steps:
Create it on the Active Directory domain controller and install it on the machine where the service will run.
On the domain controller, launch the two following commands in Powershell to create the account which cannot be done through a graphic interface:

Import-Module ActiveDirectory
New-ADServiceAccount -Name Service_Account -Enabled $true

The account shows up under “Managed Service Accounts” in Active Directory Users and Computers (CocherCheck Advanced features in the View tab)
Then assign the account to the machine where the service will run:

Add-ADComputerServiceAccount -Identity Target_Server -ServiceAccount Service_Account

On the target machine, add the AD module for Powershell feature:
Add Feature:
Remote Server Administration Tools
   Role Administration Tools
     AD DS and AD LDS Tools
      Active Directory module for Windows PowerShell
And install the service account in Powershell:

Install-ADServiceAccount -identity Service_Account


Launch the service with DOMAIN\Service_Account$ leaving a blank password. Don’t forget the $ in the account name!

No responses yet

Trackback URI | Comments RSS

Leave a Reply