You Need To Create A Managed Service Account. What Should You Do?

Managed Service Accounts (MSA): Installing a service

Recently, 1 of our users has asked us if it is possible to install, through Avant-garde Installer, a service under a Managed Service Account (MSA).

If you're new to Avant-garde Installer, we recommend you lot take reward of the xxx-Mean solar day Full-Featured Free Trial (no credit card required).

Since it took quite a while to investigate all this, as I was not familiar with what Managed Service Accounts are, I decided to create this how-to, hoping that other users may find this useful.

A trivial explanation earlier nosotros brainstorm (this is probably skippable as if you were searching for this, you are probably already familiar with what an MSA is):

The first question that came into my mind when I read that asking was "What is a Service Account?".

What is a Service Business relationship and Managed Service Accounts

A service account is a user account created to run a particular service or software. To have good security, a service account should be created for each service/application on your network.

As you tin can imagine, a pregnant drawback to this is password management.

For large networks, this means a lot of service accounts, and the management of these service accounts tin can become complicated, and this is where the Managed Service Accounts (MSA) come to help.

One of the biggest advantages of an MSA is NO MORE Countersign Management. Information technology uses a complex, random, 240-character password that automatically changes when it reaches the domain or calculator countersign decease date.

Standalone Managed Service Accounts (sMSAs) VS Grouping Managed Service Accounts (gMSAs)

What is a standalone Managed Service Account (sMSA)?

Every bit we accept discussed earlier: a standalone Managed Service Account (sMSA) is a managed domain business relationship that provides automatic password management, simplified service chief proper noun (SPN) direction, and the power to delegate it to other administrators.

What is group Managed Service Account (gMSA)?

The grouping Managed Service Business relationship (gMSA) provides the aforementioned functionality within the domain just also extends that functionality over multiple servers.

For a more in-depth overview of this, please look at Microsoft'due south Group Managed Service Accounts Overview article.

How to create a Managed Service Account on Windows

Prerequisites:

Windows Server 2012 or above
Active Directory Domain Services (Advertising DS)

This is all intended for exam purposes, therefore please follow these steps on a test automobile (e.thousand., Virtual Machine).

Yous tin create an MSA past using the Active Directory module for PowerShell.

As explained above, to create an MSA, we will need the Active Directory module for PowerShell. To do and so, please open PowerShell on your Windows Server car and type the following:

Import-Module ActiveDirectory

The kickoff thing we need to practise is to create a Key Distribution Service Root Fundamental (KdsRootKey).

Domain Controllers (DC) require a root cardinal to begin generating gMSA passwords. The domain controllers volition wait up to x hours from the time of creation to let all domain controllers to converge their Advertising replication before assuasive the creation of a gMSA.

Since this is only meant for test purposes, we will skip the 10 hours part of the KdsRootKey generation. To do so, we can utilize the following:

Add-KdsRootKey -EffectiveTime ((go-date).addHours(-x))

Now, we are pretty much ready to go. To create a new Managed Service Account, we can continue as it follows:

New-ADServiceAccount -Name TestMSA -Path "CN = Managed Service Accounts, DC=catalin, DC=exam" -DNSHostName hostname.catalin.exam

where:

hostname returns the computer proper name
catalin.exam is my Domain Controller

Afterwards creating the MSA, we will at present specify which computer can request and access the password. To do so, we can proceed as it follows:

Set-ADServiceAccount -Identity TestMSA -PrincipalsAllowedToRetrieveManagedPassword WIN-N8MH1OCCOTD$

where:

WIN-N8MH1OCCOTD - represents the computer name

We can now examination the managed service account. To practice so, please proceed as follows:

Test-ADServiceAccount -Identity TestMSA | Format-Listing

The above should return true. If so, it is now time to install our Managed Service Business relationship:

Install-ADServiceAccount -Identity TestMSA

After doing so, nosotros can remember our managed service account by running the following:

Get-ADServiceAccount -Filter *

This will return our MSA.

Yous can likewise check for the service from within the UI, by accessing "dsa.msc" --> your Domain Controller --> "Managed Service Accounts":

You can find all the above code beneath:

import-module ActiveDirectory  Add-KdsRootKey -EffectiveTime ((get-appointment).addHours(-10))  New-ADServiceAccount -Name TestMSA -Path "CN = Managed Service Accounts, DC=catalin, DC=test" -DNSHostName hostname.catalin.test  Set-ADServiceAccount -Identity TestMSA -PrincipalsAllowedToRetrieveManagedPassword WIN-N8MH1OCCOTD$  Examination-ADServiceAccount -Identity TestMSA |fl  Install-ADServiceAccount -Identity TestMSA  Become-AdServiceAccount -Filter *

Now, to install a service under the MSA, we will need to exercise two things:

provide the "username", which looks like this:

DomainController\ManagedServiceAccount$

Based on the in a higher place sample, the username will look like this:

provide NO password

Basically, in Advanced Installer, in the "Services" page, y'all will need to specify the account from which the service will run.

Least, but not last: the business relationship should have enough privileges to start/piece of work with services.

Managed Service Account: FAQ

What is a managed service account?

A Managed Service Account is a Windows feature that was introduced in Windows Server 2008 to help not-user service accounts become more secure. Automatic password direction, every bit well as simplified SPN direction and the pick to grant access to other administrators, tin be provided through a managed service account.

Deviation between a service business relationship and managed service account?

A significant difference between a local service business relationship and a managed service business relationship is that standalone managed service accounts are intended to address the difficulties generated by the password management.

What is a standalone managed service business relationship?

A standalone Managed Service Account (sMSA) is a managed domain account that i can employ in order to secure a service running on a server.

What is gMSA?

A gMSA - Grouped Managed Service Account, is a form of managed service account (MSA) that provides a higher level of security than regular MSAs for automated and non-interactive applications, services, and processes that need credentials. The gMSAs tin can run on a single or on multiple servers.

What is the difference between MSA and gMSA?

The group Managed Service Account (gMSA) delivers the aforementioned functionality as the MSA within the domain, just it too extends information technology over several servers.

What is a service account in windows?

A service account is a user business relationship established specifically for the purpose of providing a security context for services running on Windows Server operating systems, and this way controlling the service'due south ability to access local and network resources.