Windows Managed Service Accounts

I had a much longer post here but when I published it, the content disappeared. So until I decide to go through the steps again and redocument them, the short story is: Managed Service Accounts are great. I like them better than the standard way service accounts were handled in the past. When creating an account, be sure the account is not longer than 15 characters. If longer than 15 characters, you will not be able to install them on the computer you want to use them on.

These can be used only on a Windows 2008 R2 and Windows 7. They can only be created on a domain controller that has been upgraded to the 2008 R2 Schema but the domain itself can be either 2008 R2, 2008, 2003, or mixed-mode. Only the 2008 R2 domain level can provide automatically managed passwords and SPN.

Main commands to be able to use Managed Service Accounts are:

  • New-ADServiceAccount -name <accountname> -description “accountdescription”
  • Add-ADComputerServiceAccount -computer <computername> -serviceaccount <accountname>
  • Install-ADServiceAccount -identity <accountname>

These commands have to be run from the Active Directory Module for Windows Powershell as an administrator or some of the commands will fail. The first command creates the account in AD. The second command assigns the account to the computer to use the account. The last command should run from the computer you plan to use the account.