Managed Service Accounts (MSA) are Active Directory accounts that the password is managed and changed automatically every 30 days. This over comes that issue of service accounts that have passwords that are not changed nor do the password expire.
These accounts are also tied to a specific computer, can not be used for interactive logon nor can they be locked out. MSAs were introduced in 2008 R2 and windows 7. They are created in the Managed Service Accounts container in Active directory and have an object class of msDS-ManagedServiceAccount.
To create a Managed Service Account
- Create the MSA account
New-ADServiceAccount -Name <MSA name> -RestrictToSingleComputer -Enable $True
- Once the MSA account is created, it show in the Managed Service Account container
- Associate the MSA with the computer where you want to use it
Add-ADComputerServiceAccount -Identity <computername> -ServiceAccount <MSAname>
- Connect to the computer that the MSA will be used on and install the MSA
Install-ADServiceAccount -Identity <MSA name>
After the MSA has been installed on the computer it can be associated with a service. Open services.msc and right click on the service, selecting properties.
To remove a MSA use powershell
Uninstall-ADServiceAccount -Identity <MSA name>
Once removed from the computer, the association can be removed with
Remove-ADComputerServiceAccount -Identity <computername> -ServiceAccount <MSAname>
This leaves the MSA account in Active Directory, which can be removed by