Managed Service Accounts (MSAs) Versus Virtual Accounts in Windows Server 2008 R2
Both Managed Service Accounts (MSA) and virtual accounts were capabilities added to Windows Server 2008 R2 and Windows 7. There are some details posted on this subject on TechNet in Service Accounts Step-by-Step Guide, but unlike the TechNet article, the following table compares these two accounts based on their capabilities and applicable uses:
Capability |
Virtual account |
MSA |
Can be used on multiple computers in the domain? |
No. |
No. |
Available for use by operating systems prior to Windows 7 or Windows Server 2008 R2? |
No. |
No. installation of MSAs requires a machine running Windows 7 and Windows Server 2008 R2 Operating System. |
Enabled by default in the Windows 7 and Windows Server 2008 R2 operating system? |
Yes. |
No. |
Can be added by an administrator as a domain account? |
No. |
Yes. |
Automatically resets the account password without administrator intervention? |
Yes. |
Yes. |
Automatically resets SPN? |
Not applicable. |
Yes, if Windows Server 2008 R2 or Windows 7 computer registers the SPN. |
SPN management can be delegated? |
Not applicable. |
Yes. |
Best used for applications in an Active Directory domain that require a centralized access control for the service accounts they run under and when management of service accounts is a concern |
No. |
Yes. |
For more information about application requirements and configuration instructions for using managed service accounts, see the Service Account Step-by-Step Guide
For additional information, see: