Apr 06 2017
Windows Managed Service Accounts
Managed service accounts appeared with Windows 2008 R2 Server. MSA provide a dedicated account for each service without the hassle of managing password assignment or reset; less management, more security.
However, an account can only be used on one server.
Setting up a service account is done in 2 steps:
Create it on the Active Directory domain controller and install it on the machine where the service will run.
On the domain controller, launch the two following commands in Powershell to create the account which cannot be done through a graphic interface:
Import-Module ActiveDirectory New-ADServiceAccount -Name Service_Account -Enabled $true
The account shows up under “Managed Service Accounts” in Active Directory Users and Computers (CocherCheck Advanced features in the View tab)
Then assign the account to the machine where the service will run:
Add-ADComputerServiceAccount -Identity Target_Server -ServiceAccount Service_Account
On the target machine, add the AD module for Powershell feature:
Add Feature:
Remote Server Administration Tools
Role Administration Tools
AD DS and AD LDS Tools
Active Directory module for Windows PowerShell
And install the service account in Powershell:
Install-ADServiceAccount -identity Service_Account
Launch the service with DOMAIN\Service_Account$ leaving a blank password. Don’t forget the $ in the account name!