Managed Service Accounts
This article needs work. Please help update and extend it. If you add new managed service account topics, please add a link to the new topic at the bottom of this page. |
Managed service accounts in Windows Server 2008 R2 and Windows 7 are managed domain accounts that provide the following features to simplify service administration:
- Automatic password management.
- Simplified SPN management, including delegation of management to other administrators. Additional automatic SPN management is available at the Windows Server 2008 R2 domain functional level.
Use of managed service accounts is considered a security best practice (ref: Microsoft Virtualization: The Complete Solution: Master Microsoft Server).
To use managed service accounts, the client computer on which the application or service is installed must be running Windows Server 2008 R2 or Windows 7. In addition, a hotfix as described in KB 2494158: “Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2" must be applied to the computer where the managed service account exists. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers and cannot be used in server clusters where a service is replicated on multiple cluster nodes.
For more information about application requirements and configuration instructions for using managed service accounts, see the Service Account Step-by-Step Guide
For additional information, see:
- Active Directory Administration with PowerShell: Managed Service Accounts
- What's New in Service Accounts in Windows Server 2008 R2
- Andrew Fryer's Blog: A Small Problem with Managed Service Accounts
- Managed Service Accounts (MSAs) versus virtual accounts in Windows Server 2008 R2