Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting

First published on TechNet on Sep 10, 2009

Group Managed Service Accounts superseded MSAs, which in Windows 7 and Windows Server 2008 R2 ( both nobelium long supported ). Please use this update radio link for more current information : hypertext transfer protocol : // …


Ned here again. One of the more interesting newfangled features of Windows Server 2008 R2 and Windows 7 is Managed Service Accounts. MSA ’ s allow you to create an account in Active Directory that is tied to a specific calculator. That report has its own complex password and is maintained automatically. This means that an MSA can run services on a calculator in a secure and easy to maintain manner, while maintaining the capability to connect to network resources as a specific exploiter principal.

today I will :

  • Describe how MSA works
  • Explain how to implement MSA’s
  • Cover some limitations of MSA’s
  • Troubleshoot a few common issues with MSA’s

Let ’ s be about it.

How Managed Service Accounts Work

The Windows Server 2008 R2 AD Schema introduces a new object class called msDS-ManagedServiceAccount . Create an MSA, examine its objectClass impute, and poster the aim has an interest object class inheritance structure :


The object is a drug user and a calculator at the same fourth dimension, precisely like a computer account. But it does not have an object class of person like a calculator history typically would ; rather it has msDS-ManagedServiceAccount . MSA ’ s inherit from a parent object class of “ Computer ”, but they are besides users. MSA objects do not contain new attributes from the Win2008 R2 outline update.

And this leads me to how MSA ’ s handle passwords – it ’ second reasonably cagey. An MSA is a quasi-computer aim that utilizes the like password update mechanism used by calculator objects. so, the MSA bill password is updated when the computer updates its password ( every 30 days by nonpayment ). This can be controlled – just like a calculator ’ second password – with the following two DWORD values :


DisablePasswordChange = [ 0 or 1, nonpayment if prize mention does not exist is 0 ]
MaximumPasswordAge = [ 1-1,000,000 in days, default if value identify does not exist is 30 ]

MSA ’ second, like computers, do not observe sphere or close-grained password policies. MSA ’ sulfur use a complex, automatically generated password ( 240 bytes, which is 120 characters, and cryptographically random ). MSA ’ south can not be locked out, and can not perform interactional logons. Administrators can set an MSA password to a known value, although there ’ s normally no justifiable reason ( and they can be reset on demand ; more on this late ).

All Managed Service Accounts are created ( by default ) in the fresh CN=Managed Service Accounts, DC=, DC= container. You can see this by configuring DSA.MSC to show “ Advanced Features ” :

As you will see late though, there international relations and security network ’ thyroxine much point to looking at this in AD Users and Computers because… wait for it… all your presidency will be done through PowerShell . You knew that was coming, didn ’ thyroxine you ?

MSA ’ s mechanically maintain their Kerberos Service Principal Names ( SPN ), are linked to one calculator at a time, and support delegating. A network capture shows a correctly configured MSA using Kerberos :

Implementing MSA ’ s

Forest and OS Requirements

To use MSAs you must :

  • Use Active Directory
  • Extend your AD schema to Windows Server 2008 R2
  • Host services using MSAs on Windows Server 2008 R2 and Windows 7 computers (MSAs cannot be installed on down-level operating systems)
  • PowerShell, AD PowerShell (part of the RSAT), and the .Net 3.5x framework enabled on any computers using or configuring MSAs

MSAs do not require a specific Forest Functional Level, but there is a scenario where depart of MSA functionality requires a Windows Server 2008 Domain Functional Level. This means :

  • If your domain is Windows Server 2008 R2 functional level, automatic passwords and SPN management will work
  • If your domain is less than WIndows Server 2008 R2 Domain Functional Level, automatic passwords will work. Automatic SPN management will not work, and SPN’s will have to be maintained by administrators


Using a raw MSA constantly works in four steps :

1. You create the MSA in AD.

2. You associate the MSA with a calculator in AD .
3. You install the MSA on the calculator that was associated .
4. You configure the servicing ( s ) to use the MSA .

We begin by using PowerShell to create the new MSA in Active Directory. You can run this command on Windows Server 2008 R2 or Windows 7 computer that has the RSAT feature “ Active Directory Module for Windows PowerShell ” enabled. Perform all commands as an administrator.

1. Start PowerShell .

2. Import the AD module with :

Import-Module ActiveDirectory

3. Create an MSA with :

New-ADServiceAccount -Name -Enabled $true

4. Associate the new MSA with a target computer in active directory :
Add-ADComputerServiceAccount -Identity -ServiceAccount

5. now logon to the aim computer where the MSA is going to be running. Ensure the follow features are enabled :

  • Active Directory Module for Windows PowerShell
  • .NET Framework 3.5.1 Feature

6. Start PowerShell .
7. Import the AD faculty with :
Import-Module ActiveDirectory
8. Install the MSA with :
Install-ADServiceAccount -Identity

Note: Besides being a local administrator on the calculator, the account installing the MSA needs to have permissions to modify the MSA in AD. If a knowledge domain admin this “ barely works ” ; otherwise, you would need to delegate change permissions to the service account ‘s AD object .

9. now you can associate the new MSA with your military service ( sulfur ) .
The GUI way:

a. Start services.msc .
b. Edit your servicing properties .
c. On the Log On yellow journalism, set “ This Account ” to the domainname$ of your MSA. so if your MSA was called “ AskDS ” in the “ ” world, it would be :
d. Remove all information from Password and Confirm password – they should not contain any data :

e. Click Apply and Ok to the usual “ Logon as a Service Right granted ” message :

f. Start the service. It should run without errors .

The PowerShell way:

a. Start PowerShell .
boron. paste this sample script into a text file :

# Sample handwriting for setting the MSA password through PowerShell
# Provided “ AS IS ” with no warranties, and confers no rights.
# See hypertext transfer protocol : //

# Edit this section :
$ MSA= ” contosoaskds$
$ ServiceName= ” ‘ testsvc ‘ ”
# Do n’t edit this section :
$ Password= $ null
$ Service=Get-Wmiobject win32_service -filter “ name= $ ServiceName ”
$ InParams = $ Service.psbase.getMethodParameters ( “ Change ” )
$ InParams [ “ StartName ” ] = $ MSA
$ InParams [ “ StartPassword ” ] = $ Password
$ Service.invokeMethod ( “ Change ”, $ InParams, $ null )

c. Modify the highlighted bolshevik sections to correctly configure your MSA and service name .
d. Save the textbook file as MSA.ps1 .
e. In your PowerShell console table, get your script policy with :

f. Set your execution policy to remote signing alone :

Set-ExecutionPolicy remotesigned

g. Run the handwriting :

h. Set your execution policy back to whatever you had returned in step east :

Note: obviously, I made this model very manual ; it could easily be automated completely. That ’ s the whole target of PowerShell after all. besides, it is all right to shake your fist at us for not having the User and Password capabilities in the V2 PowerShell cmdlet Set-Service . Grrr .


Removing an MSA is a simpleton bipartite march. now that you know all the PowerShell rigmarole, here are the two things you do :

1. Use the following PowerShell cmdlet to remove the MSA from a local computer:

Remove-ADServiceAccount –identity

2. optionally, remove the military service score from Active Directory. You can skip this measure if you equitable want to reassign an existing MSA from one computer to another .
Remove-ADComputerServiceAccount –Identity -ServiceAccount

Group Memberships

The Set-ADServiceAccount and New-ADServiceAccount cmdlets do not allow you to make MSA ’ s members of groups. To do this you will rather use DSA.MSC or Add-ADGroupMember .

AD Users and Computers method:

1. Start DSA.MSC .
2. Select the group ( not the MSA ) .
3. Add the MSA through the Members pill :

PowerShell method:

1. Start PowerShell .
2. run :
Add-ADGroupMember “” “
indeed for example :

Note : Use the spot name of the MSA ; otherwise Add-ADGroupMember will return “ can not find aim with identity ”. Don ’ metric ton try to use NET GROUP as it doesn ’ t know how to find MSA ’ mho.


Managed Service Accounts are utilitarian in most service scenarios. There are limits though, and understanding these up front will save you planning time subsequently.

  • MSA’s cannot span multiple computers – An MSA is tied to a specific computer. It cannot be installed on more than one computer at once. In practical terms, this means MSAs cannot be used for:
    • Cluster nodes
    • Authenticated load-balancing using Kerberos for a group of web servers

The MSA can only exist on one computer at a time; therefore, MSAs are not compatible with cluster fail-over scenarios. And authentication through a load balancer would require you to provide a Kerberos SPN of the MSA account– that won’t work either. Load balancing scenarios include Microsoft software-based and third-party hardware and software-based load balancing solutions. If you’re clustering or NLB’ing, then you are still going to need to use old fashioned service accounts.

A key clarification: You can have multiple MSAs installed on a single computer. so if you have an application that uses 5 services, it ’ sulfur perfectly all right to use one MSA on all five services or five different MSA ’ s at once .

  • The supportability of an MSA is determined by the component, not Windows – Just because you can configure an MSA on a service doesn’t mean that the folks who make that service support the configuration. So, if the SQL team here says “we don’t support MSA’s on version X”, that’s it. You have to convince them to support their products, not me :-). Some good places to start asking, as we get closer to the general availability of Windows Server 2008 R2 in October:

TechNet Forums – hypertext transfer protocol : //
MSDN Forums – hypertext transfer protocol : //
SQL Support Blog – hypertext transfer protocol : //
Exchange Blog – hypertext transfer protocol : //
SharePoint Blog – hypertext transfer protocol : //
Dynamics Blog – hypertext transfer protocol : //
BizTalk Blog – hypertext transfer protocol : //


For the most region MSA ’ second are straightforward and have easily apprehensible errors. There are a few issues that people seem to run into repeatedly though :

Error: Error 1069 : The service did not start due to a logon failure.

Cause: Typically caused by the MSA being disabled. Use Set-ADServiceAccount to enable your MSA.

Error: Duplicate Backlink. The service account ‘AskDS2 ‘ has backlinks to computer ‘CN=2008R2-F-05, CN=Computers, DC=contoso, DC=com ‘. This attention deficit disorder operation will potentially disable service accounts installed on the other calculator. Can not install serve account. error message : ‘Unknown erroneousness ( 0xc000005a )

Cause: You are trying to associate an MSA with a calculator that is already used by another calculator. The error notes the server ( in this lawsuit, 2008r2-f-05 ) presently using the MSA. Un-associate and uninstall the MSA from the old calculator before using it on the new one.

Error: Add-ADComputerServiceAccount : The object could not be found on the server.

Cause: You gave an incorrect identity for the MSA and PowerShell can not find it. Either it ’ sulfur been deleted or you typed in the wrong identify.

Error: Please record a valid password.

Cause: You did not remove the password data in the service ’ s Logon On properties when editing in services.msc . See the setup steps above.

Error: The account mention is invalid or does not exist, or the password is invalid for the explanation mention specified.

Cause: This is typically caused by not adding the “ $ ” character to the end of the account name used in the Log On tab key in the servicing ’ sulfur properties in services.msc. Also, this error is caused by just mistyping the name of the account or forget to add the appropriate world .
final Notes and References

For far learn on Managed Service Accounts, check out :
And there you go – nowadays go forth and tame your environment .

– Ned ‘ 120 characters ought to be enough for anyone ’ Pyle

source :
Category : Knowledge

Trả lời

Email của bạn sẽ không được hiển thị công khai.