AD Managed Service Accounts

Managed Service Accounts (MSA) are Active Directory accounts that the password is managed and changed automatically every 30 days. This over comes that issue of service accounts that have passwords that are not changed nor do the password expire.

These accounts are also tied to a specific computer, can not be used for interactive logon nor can they be locked out. MSAs were introduced in 2008 R2 and windows 7. They are created in the Managed Service Accounts container in Active directory and have an object class of msDS-ManagedServiceAccount.

To create a Managed Service Account

  1. Create the MSA account
    New-ADServiceAccount -Name <MSA name> -RestrictToSingleComputer -Enable $True
  2. Once the MSA account is created, it show in the Managed Service Account container
  3. Associate the MSA with the computer where you want to use it
    Add-ADComputerServiceAccount -Identity <computername> -ServiceAccount <MSAname>
  4. Connect to the computer that the MSA will be used on and install the MSA
    Install-ADServiceAccount -Identity <MSA name>

After the MSA has been installed on the computer it can be associated with a service. Open services.msc and right click on the service, selecting properties.

On the Log on tab, set the value to DOMAIN\MSA$  and clear both Password and Confirm Password boxes.

 

 

To remove a MSA use powershell

Uninstall-ADServiceAccount -Identity <MSA name>

Once removed from the computer, the association can be removed with

Remove-ADComputerServiceAccount -Identity <computername> -ServiceAccount <MSAname>

This leaves the MSA account in Active Directory, which can be removed by

Remove-ADServiceAccount

Leave a Reply