Managed Service Accounts

One of the biggest issues in most orgainizations is almost always managing service accounts for the various servers and applications that spread and sometimes get forgot. The larger the the organization the worse the problem can be. PCI DSS, HIPPA, and FISMA standards/frameworks also has clauses that force any organization that is subject to compliance to have strong policies of password rotataion and proof of compliance. Microsoft has made this very easy with Managed Service Accounts. With the Active Directory schema that was included in Windows Server 2008 R2.

Creating and Using A Managed Service Account

Create The Managed Service Account And Associate With Computer

Log into a domain controller or create an remote PowerShell session with one:

New-ADServiceAccount -Name <AccountName> -Enabled $true -RestrictToSingleComputer
 
Add-ADComputerServiceAccount -Identity <ComputerName> -ServiceAccount <AccountName>

Install the Managed Service Account On The Computer

Log into the computer where you want to use the managed service account:

Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
 
Install-ADServiceAccount -Identity <AccountName>

Configure The Service(s) To Use The Managed Service Account

On the computer where the service(s) are installed, run the following for each service that will run using the managed service account:

$AccountName = '<AccountName>$'
$ServiceName = '<ServiceName>'
 
$Service = Get-Wmiobject win32_service -filter "name='$ServiceName'" 
$Params = $Service.psbase.getMethodParameters(“Change”) 
$Params[“StartName”] = $AccountName 
$Params[“StartPassword”] = $Null 
$Service.invokeMethod(“Change”,$Params,$Null)

Managed service accounts cannot span multiple computers because they are tied to a specific computer. It cannot be installed on more than one computer at once. If you need to use a managed service account in on cluster nodes, you'll need to use a Group Managed Service Accounts

Removing A Managed Service Account

Log into the computer where you used the managed service account:

Remove-ADServiceAccount -Identity <AccountName> -Force

If you are not moving the service account to another computer, you can remove it from Active Directory by logging into a domain controller or create an remote PowerShell session with one:

Remove-ADComputerServiceAccount -Identity <ComputerName> -ServiceAccount <AccountName>