Where can I use Managed Service Accounts? (So many questions. So little time. Part 32)

Great question!

For those of you who are not familiar with these things called Managed Service Accounts, let’s first talk about the problem that the solve.  But let’s first set the stage with a couple of assumptions:

1. You have some domain accounts being used as the identity for some services.
2. For the sake of good security, you change the passwords for those domain accounts on a regular basis.

Right?

“Um.. Kevin.. Yes to the first one.. but definitely not the second one.”

Why not?

“Because then the services won’t start.”

Bingo.  And even worse, it doesn’t show up as a problem until days or weeks later when for some reason (an update, perhaps?) you have to restart a server.  Suddenly things are broken, and you’re not sure why… until you find that the service that Exchange or IIS was depending on didn’t start.  So unless you’re really good at also going to each and every server and each and every service definition to reset the passwords there, you’re going to have problems.

Managed Service Accounts take the concerns of having to set/reset passwords out of your hands.  They are special Active Directory accounts that manage their passwords automatically for you; by default having 120 character complex passwords that reset themselves every 30-days, and having no rights to log-on locally. 

Currently (and I say that because I don’t know if this is going to be different in Windows Server 2012) you 1) create the account, and then 2) install the account to a server using PowerShell. 

For complete details on Managed Service Accounts, see these pages:

• Introducing: Managed Service Accounts
• Service Accounts Step-by-Step Guide

So, back to Casy’s question: Can you use Managed Service Accounts on Server 2003 or Server 2003 R2?

No. 

Well… I should probably clarify something here.  Managed Service Accounts require the Active Directory schema to be updated to the Server 2008 R2 version, but they don’t strictly require the domain functional level to be raised – meaning that you can use them even if you’re still running domain controllers that are Windows Server 2003 SP2, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 SP2.  (You will need to do adprep /forestprep and adprep /domainprep.  See AdPrep for details.)  Plus, the Active Directory Management Gateway Service would have to be installed on those older Domain Controllers to allow them to manage Managed Service Accounts.

“Okay.. so they can exist in a domain that has older domain controllers. But can I install them and use them on older servers or workstations?”

No.  Sorry.  “To use managed service accounts and virtual accounts, the client computer on which the application or service is installed must be running Windows Server 2008 R2 or Windows 7.” (From the Service Accounts Step-by-Step Guide, “Requirements for using managed service accounts and virtual accounts” section.)

I hope that clarifies things for you.

---

Are you using Managed Service Accounts? Have they been useful to you? Please share your thoughts in the comments.