{"id":940,"date":"2017-04-06T23:09:06","date_gmt":"2017-04-06T21:09:06","guid":{"rendered":"http:\/\/www.netexpertise.eu\/en\/?p=940"},"modified":"2021-09-11T22:50:40","modified_gmt":"2021-09-11T20:50:40","slug":"windows-managed-service-accounts","status":"publish","type":"post","link":"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html","title":{"rendered":"Configure Windows Managed Service Accounts"},"content":{"rendered":"\n

Windows Managed service accounts (MSA) appeared in Windows 2008 R2 Server. MSA provide dedicated accounts for each service without the hassle of managing password assignment or reset. Less management, more security.
However, a single account cannot be used across multiple servers. This could lead to many service accounts within a domain but this is not a big deal.
 
Setting up a service account requires 2 major steps:
Create it on the Active Directory domain controller and install it on the machine where the service will run.<\/p>\n\n\n\n


Add Service Account on Active Directory<\/h2>\n\n\n\n

On the domain controller, launch the two following commands in Powershell<\/a> to create the account. It cannot be done through a graphical user interface:<\/p>\n\n\n\n

Import-Module ActiveDirectory\nNew-ADServiceAccount -Name Service_Account -Enabled $true<\/code><\/pre>\n\n\n\n
 
The  Windows account shows up under “Managed Service Accounts” in Active Directory Users and Computers. You have to check “Advanced features” in the View tab beforehand.

Then assign the account to the host where the service will run:<\/p>\n\n\n\n
Add-ADComputerServiceAccount -Identity Target_Server -ServiceAccount Service_Account<\/code><\/pre>\n\n\n\n

Configure the Service on the Target Host<\/h2>\n\n\n\n
On the target machine, add the AD module for Powershell feature:
\u00a0
Add Feature navigating to:
Remote Server Administration Tools
\u00a0\u00a0 Role Administration Tools
 \u00a0\u00a0\u00a0\u00a0 AD DS and AD LDS Tools
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0   Active Directory module for Windows PowerShell
\u00a0
Next install the managed service account, still in Powershell:<\/p>\n\n\n\n
Install-ADServiceAccount -identity Service_Account<\/code><\/pre>\n\n\n\n

Finally, you can configure the service startup with the managed service account, under the Connection tab.

<\/p>\n\n\n\n
\"Windows<\/figure><\/div>\n\n\n\n
\u00a0
Launch the service with DOMAIN\\Service_Account$ leaving the password field empty. Do not forget to append the $ to the account name!

Check this post<\/a> out if the service does not start after rebooting the server. It could be linked to some security policy settings that need to be changed.<\/p>\n","protected":false},"excerpt":{"rendered":"
Windows Managed service accounts (MSA) appeared in Windows 2008 R2 Server. MSA provide dedicated accounts for each service without the hassle of managing password assignment or reset. Less management, more security.However, a single account cannot be used across multiple servers. This could lead to many service accounts within a domain but this is not a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[70],"tags":[383,389,391],"yoast_head":"\nNetexpertise - Configure Windows Managed Service Accounts<\/title>\n<meta name=\"description\" content=\"Configure and secure Windows services with managed service accounts and simplify account and password management.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Netexpertise - Configure Windows Managed Service Accounts\" \/>\n<meta property=\"og:description\" content=\"Configure and secure Windows services with managed service accounts and simplify account and password management.\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html\" \/>\n<meta property=\"og:site_name\" content=\"Netexpertise\" \/>\n<meta property=\"article:published_time\" content=\"2017-04-06T21:09:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-11T20:50:40+00:00\" \/>\n<meta name=\"author\" content=\"dave\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@netexpertise\" \/>\n<meta name=\"twitter:site\" content=\"@netexpertise\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html\",\"url\":\"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html\",\"name\":\"Netexpertise - Configure Windows Managed Service Accounts\",\"isPartOf\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#website\"},\"datePublished\":\"2017-04-06T21:09:06+00:00\",\"dateModified\":\"2021-09-11T20:50:40+00:00\",\"author\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\"},\"description\":\"Configure and secure Windows services with managed service accounts and simplify account and password management.\",\"breadcrumb\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/www.netexpertise.eu\/en\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Configure Windows Managed Service Accounts\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#website\",\"url\":\"http:\/\/www.netexpertise.eu\/en\/\",\"name\":\"Netexpertise\",\"description\":\"Systems \/ Networks \/ DevOps\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.netexpertise.eu\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\",\"name\":\"dave\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"contentUrl\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"caption\":\"dave\"},\"sameAs\":[\"http:\/\/www.netexpertise.eu\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Netexpertise - Configure Windows Managed Service Accounts","description":"Configure and secure Windows services with managed service accounts and simplify account and password management.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html","og_locale":"en_US","og_type":"article","og_title":"Netexpertise - Configure Windows Managed Service Accounts","og_description":"Configure and secure Windows services with managed service accounts and simplify account and password management.","og_url":"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html","og_site_name":"Netexpertise","article_published_time":"2017-04-06T21:09:06+00:00","article_modified_time":"2021-09-11T20:50:40+00:00","author":"dave","twitter_card":"summary_large_image","twitter_creator":"@netexpertise","twitter_site":"@netexpertise","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html","url":"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html","name":"Netexpertise - Configure Windows Managed Service Accounts","isPartOf":{"@id":"http:\/\/www.netexpertise.eu\/en\/#website"},"datePublished":"2017-04-06T21:09:06+00:00","dateModified":"2021-09-11T20:50:40+00:00","author":{"@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa"},"description":"Configure and secure Windows services with managed service accounts and simplify account and password management.","breadcrumb":{"@id":"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/www.netexpertise.eu\/en\/systems\/windows\/windows-managed-service-accounts.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/www.netexpertise.eu\/en"},{"@type":"ListItem","position":2,"name":"Configure Windows Managed Service Accounts"}]},{"@type":"WebSite","@id":"http:\/\/www.netexpertise.eu\/en\/#website","url":"http:\/\/www.netexpertise.eu\/en\/","name":"Netexpertise","description":"Systems \/ Networks \/ DevOps","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.netexpertise.eu\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa","name":"dave","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/","url":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","contentUrl":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","caption":"dave"},"sameAs":["http:\/\/www.netexpertise.eu"]}]}},"_links":{"self":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/940"}],"collection":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/comments?post=940"}],"version-history":[{"count":0,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/940\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/media?parent=940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/categories?post=940"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/tags?post=940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}