This video looks at some of the new features in Windows Server 2008 R2 and Windows 7 that can automate the management of service accounts. If your application supports it, using managed service accounts means that the password of the service account is automatically changed periodically without any interaction from the administrator.
What is a service accountA service account is a user account that is created to run a particular service or software. In order to have good security, a service account should be created for each service/application that is on your network. On large networks this will mean a lot of service accounts and the management of these service accounts can become difficult, thus this is where Managed Service Accounts can help.
Computer Accounts
A computer account is like a user account in that it has a password. The difference is that the password for a computer account is automatically updated by Windows with no interaction from the user. Managed Service Accounts uses the same process to manage the password for a Managed Service Account.
Refer here for information about computer accounts http://itfreetraining.com/70-640/computer-accounts
Managed Service Accounts Passwords
The password that is associated with a Managed Service Account (MSA) is automatically changed every 30 days. It is a random string of 120 characters so it offers better security than standard passwords even if the standard password uses upper and lower case letters combined with non alphanumeric characters. Unless of course the administrator wants to use their own 120 character password which is difficult for an administrator to work with. Like a computer account, the Managed Service Account is bound to one computer and thus cannot be used on a computer that it was not designed to work with. This provides additional security.
Requirements
In order to start using Managed Service Accounts you need to meet a few requirements.
Domain Functional Level: This needs to be Windows Server 2008 R2 or above.
Forest Functional Level: Does not require any particular forest level.
Schema changes: The schema needs to be up to date. Run ADPrep /ForestPrep to update the schema to the latest version using a Windows Server 2008 R2 DVD or above.
Client: The Managed Service Account can only be used on Windows Server 2008 R2 or Windows 7.
Software components: .Net Frame work 3.5 and Active Directory module for Windows Powershell are required for Managed Service Accounts.
Supported Software
Not all software will work with a Managed Service Accounts. Managed Service Accounts do not allow the software to interact with the Desktop. Thus a Managed Service Account cannot be used to login and cannot be used to display GUI based Windows. Listed below are common software and if they can use a Managed Service Account.
Exchange: Yes, but the Managed Service Account cannot be used for sending e-mail.
IIS: Yes, can be used with application pools.
SQL Server: Some people have got Managed Service Accounts to work with SQL but Microsoft does not support it.
Task Scheduler: No
AD LDS: Yes, Active Directory Light Weight Service works with a Managed Service Account, however a special procedure does need to be followed in order to get it to work.
Demonstration
Software components
To install the required software components, open server manger and select add features. Ensure the following are installed
.Net Framework 3.5.1 Features
Active Directory module for Windows PowerShell found under Remote Server Administration Tools, Role Administration Tools, AD DS and AD LDS Tools
To create the Managed Service Account do the following
Open PowerShell
import-module ActiveDirectory
New-ADServiceAccount –name -enable ($True or $False)
ADComptuerServiceAccount -Identity –ServiceAccount
On the client run the following
Install-ADServiceAccount -Identity
Configure Managed Service Account in IIS
Open IIS Manager
Expand down to Application Pools
Right click the pool you want and advanced settings
Select the property Identity
Enter the username for the Managed Service Account making sure it ends with a $
Leave the password blank. This will be managed by Windows and is not required.
References
“Service accounts step-by-step guide” http://technet.microsoft.com/en-us/library/dd548356.aspx
“Managed Service Accounts Frequently Asked Questions (FAQ)” http://technet.microsoft.com/en-us/library/ff641729(v=ws.10).aspx
Credits
