Years ago I learned to accept the fact that you sometimes just need to have service accounts with never-expiring passwords. Until Microsoft launched Windows 2008 R2 that is.
Managed Service Accounts (MSA) allow you to eliminate those never-expire-service-accounts. An MSA is a special domain account that can be managed by the computer that uses it. That computer will change its password periodically without the need of an administrator.
To use Managed Service Accounts you must meet the following requirements:
Active Directory Users and Computers will show you a container called Managed Service Accounts just below the root of the domain.
Server or client on which the account is created or used:
There’s no GUI tool that you can use, but the powershell command is easy. Just open Active Directory Module for Windows Powershell and execute the command:
After this the account will be available in ADUC in the container Managed Service Accounts.
To use the MSA you have to install it on the computer. To do this run the following command with Active Directory Module for Windows Powershell.
NOTE: On Windows 2008 R2 and Windows 7 you can use a MSA on one computer only. On Windows 8 it will be possible to use it on multiple computers.
To configure a service to logon with the Managed Service Account just open the service’s properties tab Log On and search for the account like you normally would, but make sure the password boxes are left empty. You will notice that a $ sign is added to the account.
This post applies to: Windows 2008 R2, Windows 2012.
Tips & Tweaks for Windows
You have declined cookies. This decision can be reversed.
You have allowed cookies to be placed on your computer. This decision can be reversed.