====== Managed Service Accounts ======

One of the biggest issues in most orgainizations is almost always managing service accounts for the various servers and applications that spread and sometimes get forgot. The larger the the organization the worse the problem can be. PCI DSS, HIPPA, and FISMA standards/frameworks also has clauses that force any organization that is subject to compliance to have strong policies of password rotataion and proof of compliance. Microsoft has made this very easy with Managed Service Accounts. With the Active Directory schema that was included in Windows Server 2008 R2.

===== Creating and Using A Managed Service Account =====

==== Create The Managed Service Account And Associate With Computer ====

Log into a domain controller or create an remote PowerShell session with one:<code powershell>
New-ADServiceAccount -Name <AccountName> -Enabled $true -RestrictToSingleComputer

Add-ADComputerServiceAccount -Identity <ComputerName> -ServiceAccount <AccountName>
</code>

==== Install the Managed Service Account On The Computer ====

Log into the computer where you want to use the managed service account:<code powershell>
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory

Install-ADServiceAccount -Identity <AccountName>
</code>

==== Configure The Service(s) To Use The Managed Service Account ====

On the computer where the service(s) are installed, run the following for each service that will run using the managed service account: <code powershell>
$AccountName = '<AccountName>$'
$ServiceName = '<ServiceName>'

$Service = Get-Wmiobject win32_service -filter "name='$ServiceName'" 
$Params = $Service.psbase.getMethodParameters(“Change”) 
$Params[“StartName”] = $AccountName 
$Params[“StartPassword”] = $Null 
$Service.invokeMethod(“Change”,$Params,$Null)
</code>

Managed service accounts cannot span multiple computers because they are tied to a specific computer. It cannot be installed on more than one computer at once. If you need to use a managed service account in on cluster nodes, you'll need to use a [[windows:ad:group_managed_service_account]]...

===== Removing A Managed Service Account =====

Log into the computer where you used the managed service account:<code powershell>
Remove-ADServiceAccount -Identity <AccountName> -Force
</code>

If you are not moving the service account to another computer, you can remove it from Active Directory by logging into a domain controller or create an remote PowerShell session with one:<code powershell>
Remove-ADComputerServiceAccount -Identity <ComputerName> -ServiceAccount <AccountName>
</code>