When a domain account is configured for a server in a domain, the client computer can authenticate and connect to that service. Previously, only two account types have provided identity without requiring password management. But these account types have limitations:
- Computer account is limited to one domain server and the passwords are managed by the computer
- Managed Service Account is limited to one domain server and the passwords are managed by the computer.
These accounts cannot be shared across multiple systems. Therefore, you must regularly maintain the account for each service on each system to prevent unwanted password expiration.
What value does this change add?
The group Managed Service Account solves this problem because the account password is managed by Windows Server 2012 domain controllers and can be retrieved by multiple Windows Server 2012 systems. This minimizes the administrative overhead of a service account by allowing Windows to handle password management for these accounts.
What works differently?
On computers running Windows Server 2012 or Windows 8, a group MSA can be created and managed through the Service Control Manager so that numerous instances of the service, such as deployed over a server farm, can be managed from one server. Tools and utilities that you used to administer Managed Service Accounts, such as IIS Application Pool Manager, can be used with group Managed Service Accounts. Domain administrators can delegate service management to service administrators, who can manage the entire lifecycle of a Managed Service Account or the group Managed Service Account. Existing client computers will be able to authenticate to any such service without knowing which service instance they are authenticating to.