Managed Service Accounts

Managed Service Accounts seem to be the end all and fix all for those services such as Exchange or SQL that we have all at some point either set to run as local system, an administrator account, or at best a domain user account that has been setup with the principal of least privilege. Using an account such as local system grants more rights than necessary and the service ends up running as a local administrator equivalent. Using a normal domain user account, even if it has been setup with the principle of least privilege, still leaves a lot to be desired since password management of the account is an ongoing security problem. The solution is a Managed Service Account which is a new feature of Windows Server 2008 R2 and Windows 7. A domain that is operating at a functional level below 2008 R2 is able to take advantage of the automatic password management feature of MSA’s, one operating at the 2008 R2 level is also able to take advantage of the automatic SPN (Service Principal Name) management feature.

To create a managed service account, open PowerShell as a user with permissions to update Active Directory and run the Import-Module -Name ActiveDirectory command.

msa1.jpg)_

If you’re running this on a non-domain controller and you receive the error in the image below, you’ll need to install the Active Directory module for Windows PowerShell.

_Import-Module : The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory. At line:1 char:14 + Import-Module «« ActiveDirectory + CategoryInfo : ResourceUnavailable: (ActiveDirectory:String) [Import-Module], FileNotFoundException

  • FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand_

msa2.jpg

Run the Import-Module ServerManager cmdlet._ msa3.jpg)__

Run the Add-WindowsFeature RSAT-AD-PowerShell cmdlet to install the Active Directory module for Windows PowerShell._ msa4.jpg)__

Close and re-open PowerShell, otherwise you may receive the error in the image below:

Attempting to perform the InitializeDefaultDrives operation on the ‘ActiveDirectory’ provider failed.

msa5.jpg

You should now be able to run the Import-Module -Name ActiveDirectory command without error.

msa1.jpg

Run the new service account cmdlet using the following syntax:

New-ADSericeAccountName “<account name>” –Enabled $truePath “<path to organizational unit>”

In the example shown in the image below, the command is:

New-ADServiceAccountNamesvcWebSite” –Enabled $truePathcn=Managed Service Accounts,dc=mikefrobbins,dc=com

msa6.jpg

If you did not receive any error messages, the new Managed Service Account should appear in the specified OU in Active Directory Users and Computers.

msa7.jpg

Link the service account to the computer you want to use it on using the following syntax:

Add-ADComputerServiceAccountIdentity “<the computer that will use the MSA>” –ServiceAccount “<service account name>”

In the example shown in the image below, the command is:

Add-ADComputerServiceAccountIdentityWEB” –ServiceAccountsvcWebSite

msa8.jpg

Open PowerShell on the computer where you want to use the Managed Service Account and import the Active Directory modules:

msa1.jpg

Install the MSA on the computer you want to use it on using the following syntax:

Install-ADServiceAccountIdentity <MASName>

In the example shown in the image below, the command is:

Install-ADServiceAccountIdentitysvcWebSite

msa9.jpg

If you receive the error in the image below, it’s due to either not having the necessary permissions to update AD or UAC preventing the command from running.

Install-ADServiceAccount : Cannot install service account. Error Message: ‘Unknown error (0xc0000022)’. At line:1 char:25 + Install-ADServiceAccount ««  -Identity “svcWebSite”+ CategoryInfo : WriteError: (svcWebSite:String) [Install-ADServiceAccount], ADException + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft. ActiveDirectory.Management.Commands.InstallADServiceAccount

1msa11.jpg>

Try right clicking on the Windows PowerShell icon and selecting “Run as Administrator” if you received the error above.

msa12.jpg

Now enter the service account which ends with a $ where you want to use it without a password as shown in the example below:

msa10.jpg

A Managed Service Account automatically changes its password every thirty days by default so password management is no longer an issue.

µ