Managed Service Accounts

Managed Service Accounts seem to be the end all and fix all for those services such as Exchange or SQL that we have all at some point either set to run as local system, an administrator account, or at best a domain user account that has been setup with the principal of least privilege. Using an account such as local system grants more rights than necessary and the service ends up running as a local administrator equivalent. Using a normal domain user account, even if it has been setup with the principle of least privilege, still leaves a lot to be desired since password management of the account is an ongoing security problem. The solution is a Managed Service Account which is a new feature of Windows Server 2008 R2 and Windows 7. A domain that is operating at a functional level below 2008 R2 is able to take advantage of the automatic password management feature of MSA’s, one operating at the 2008 R2 level is also able to take advantage of the automatic SPN (Service Principal Name) management feature.

To create a managed service account, open PowerShell as a user with permissions to update Active Directory and run the Import-Module ActiveDirectory cmdlet.

If you’re running this on a non-domain controller and you receive the error in the image below, you’ll need to install the Active Directory module for Windows PowerShell.
Import-Module : The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory. At line:1 char:14 + Import-Module <<<<  ActiveDirectory + CategoryInfo : ResourceUnavailable: (ActiveDirectory:String) [Import-Module], FileNotFoundException + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

Run the Import-Module ServerManager cmdlet.

Run the Add-WindowsFeature RSAT-AD-PowerShell cmdlet to install the Active Directory module for Windows PowerShell.

Close and re-open PowerShell, otherwise you may receive the error in the image below:
Attempting to perform the InitializeDefaultDrives operation on the ‘ActiveDirectory’ provider failed.

You should now be able to run the Import-Module ActiveDirectory cmdlet without error.

Run the new service account cmdlet using the following syntax:

In the example shown in the image below, the command is:

If you did not receive any error messages, the new Managed Service Account should appear in the specified OU in Active Directory Users and Computers.

Link the service account to the computer you want to use it on using the following syntax:

In the example shown in the image below, the command is:

Open PowerShell on the computer where you want to use the Managed Service Account and import the Active Directory modules:

Install the MSA on the computer you want to use it on using the following syntax:

In the example shown in the image below, the command is:

If you receive the error in the image below, it’s due to either not having the necessary permissions to update AD or UAC preventing the command from running.
Install-ADServiceAccount : Cannot install service account. Error Message: ‘Unknown error (0xc0000022)’. At line:1 char:25 + Install-ADServiceAccount <<<<  -Identity “svcWebSite”+ CategoryInfo : WriteError: (svcWebSite:String) [Install-ADServiceAccount], ADException + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft. ActiveDirectory.Management.Commands.InstallADServiceAccount

Try right clicking on the Windows PowerShell icon and selecting “Run as Administrator” if you received the error above.

Now enter the service account which ends with a $ where you want to use it without a password as shown in the example below:

A Managed Service Account automatically changes its password every thirty days by default so password management is no longer an issue.

µ

4 Comments

  1. Christoper

    Helpful ideas! I have been hunting for anything such as this for a while finally. Thanks!

    Reply
  2. Greg Stigers

    The step by step, from start to finish, is fantastic. Thanks for writing this. If I’m installing software, such as the System Center Orchestrator, and want to tell it to use this account, how do I do that? It wants to validate the account credentials. It looks like the thing to do is delete the service account, recreated it with a password, and then provide that.

    Reply
  3. Zeya

    I want to use this managed service account on windows 7 which is connected to domain controller
    i assigned MSA to Windows 7 running computer But when i am trying to install there through powershell by install-ADServiceAccount -identity But powershell is not accepting this command. So How to install it on Windows 7 running computer

    Reply
  4. Conner Henry

    Is there a way to do this using DSC now?

    Reply

Leave a Reply

%d bloggers like this: