There is a point to this story, but it has temporarily escaped my mind...
Contact Me MyFaceBook MyLinkedIn MyGitHub MyTwitter

Managed Service Accounts

One of the biggest issues in most orgainizations is almost always managing service accounts for the various servers and applications that spread and sometimes get forgot. The larger the the organization the worse the problem can be. PCI DSS, HIPPA, and FISMA standards/frameworks also has clauses that force any organization that is subject to compliance to have strong policies of password rotataion and proof of compliance. Microsoft has made this very easy with Managed Service Accounts. With the Active Directory schema that was included in Windows Server 2008 R2.

Creating and Using A Managed Service Account

Create The Managed Service Account And Associate With Computer

Log into a domain controller or create an remote PowerShell session with one:

New-ADServiceAccount -Name <AccountName> -Enabled $true -RestrictToSingleComputer
 
Add-ADComputerServiceAccount -Identity <ComputerName> -ServiceAccount <AccountName>

Install the Managed Service Account On The Computer

Log into the computer where you want to use the managed service account:

Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
 
Install-ADServiceAccount -Identity <AccountName>

Configure The Service(s) To Use The Managed Service Account

On the computer where the service(s) are installed, run the following for each service that will run using the managed service account:

$AccountName = '<AccountName>$'
$ServiceName = '<ServiceName>'
 
$Service = Get-Wmiobject win32_service -filter "name='$ServiceName'" 
$Params = $Service.psbase.getMethodParameters(“Change”) 
$Params[“StartName”] = $AccountName 
$Params[“StartPassword”] = $Null 
$Service.invokeMethod(“Change”,$Params,$Null)

Managed service accounts cannot span multiple computers because they are tied to a specific computer. It cannot be installed on more than one computer at once. If you need to use a managed service account in on cluster nodes, you'll need to use a Group Managed Service Accounts

Removing A Managed Service Account

Log into the computer where you used the managed service account:

Remove-ADServiceAccount -Identity <AccountName> -Force

If you are not moving the service account to another computer, you can remove it from Active Directory by logging into a domain controller or create an remote PowerShell session with one:

Remove-ADComputerServiceAccount -Identity <ComputerName> -ServiceAccount <AccountName>
Copyright © 2019 by Julian Easterling. SOME RIGHTS RESERVED.
Privacy Policy              Terms of Use             


Creative Commons License
Except where otherwise noted, content on this site is
licensed under a Creative Common Attribution-Share Alike 4.0 International License.


All of the opinions expressed on this website are those of Julian Easterling and
do not represent the views of any of my current and previous clients or employers in any way.

If you notice an error on the site or content that has not been properly attributed, bring
it to my attention using the contact page and I will endeavor to fix it as soon as I can.

I accept no responsibility or liability for any damages incurred by following any of
my advice or by using any of the information on my site or of those sites that I link to.