Quick How-To: Managed Service Accounts

A lot of organizations use custom service accounts, rather than Local System, Local Service, or Network Service. The main reason for doing this is that by configuring a custom service account, you can really ramp down the privileges needed by that service account, rather than using the more generic low level privileges assigned to one of the three standard service accounts.

A disadvantage of using custom service accounts is the amount of extra work they require in terms of maintenance. A specific gripe of a lot of administrators is ensuring that passwords are regularly kept rotated when your organization enforces strict password policies.

Managed Service Accounts are a feature new to Windows Server 2008 R2 that take the pain out of rotating passwords for custom service accounts. Managed Service Accounts automatically rotate passwords in a way that is very similar to how the passwords of computer accounts are automatically updated on a regular basis.

Managed Service Accounts can only be used on computers running Windows Server 2008 R2 or later or the Windows 7 client operating system or later. To use managed service accounts, you need to have extended your Active Directory Schema to Windows Server 2008 R2, though you should probably also be running your domain and forest at the 2008 R2 functional level. Managed Service accounts have the following limitations:

  • A managed service account can be used for services on a single computer.
  • Service accounts cannot be shared between multiple computers
  • Managed service accounts cannot be used in clusters where a service replicates to multiple nodes.

You also cannot create a Managed Service Account using Active Directory Users and Computers. This is important, because when you right click on the Managed Service Account OU there is the is an option that looks like it allows you to create a managed service account, but this will not work as it will lack necessary AD attributes.

You create managed service accounts in PowerShell v2 with the New-ADServiceAccount cmdlet. You can only utilize the New-ADServiceAccount cmdlet if you have the Active Directory modules present in your PowerShell session. You get the Active Directory modules by using the Import-Module ActiveDirectory command.

When you create a managed service account, the account is placed by default in the Managed Service Account container in Active Directory.

To create an account called Exchange-Melb-HT, you would run the command

New-ADServiceAccount Exchange-Melb-HT

It is generally a good idea to have the Managed Service Account name reflect the name of the computer on which it will be used.

To install the managed Service account on the local computer, use the Install-ADServiceAccount cmdlet. For example

Install-ADServiceAccount Exchange-Melb-HT

This will allow you to configure services on the local computer to use this account.

Once this is done, you can use the services console to configure services to use the account. To do this view the properties of the service you want to configure, and on the Log On tab, enter the name of the managed service account as domainname\accountname$. For the account I created earlier in the Adatum domain, this would be Adatum\Exchange-Melb-HT$. The $ needs to be placed at the end of the account name.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.