Managed Service Accounts in Active Directory

We all heard that one of many features in Windows server 2008 R2 is Managed Service Account.

Prerequisites for that is domain functionality raised to Windows Server 2008 R2

Most common mistake is that you will create managed service account using Active Directory Users And Computers snap-in. You will not.

Either if you are created account in Managed Service Accounts container it is still user account. To make it work you must give user rights “logon as a service” and “logon as a bat job”.

To create Managed Service Account you must use Power Shell. Creating service accounts is not so complicated. You can create it using simple script

New-ADServiceAccount –name (desired name of account).

Of course before you must “tell” powershell to use Active Directory module. Syntax for this is:

Import-module ActiveDirectory

And before that you must have installed feature:

Active Directory module for Power Shell

image

I’ve described this reversed with reason.

Most common is that you first load module to Power Shell and then start wit Your managed service accounts.

When you are created service account you need to install it on server where You want to use it. Syntax is:

install-ADServiceAccount –identity “(name of service account)”

To install account you must “run as administrator” Power Shell or you will receive error.

image

REMEMBER: You must have ONE managed service account per server. This is the big difference between managed service account and former virtual account.

Now you are ready to use managed service account with specific services

image

image

 

 

For more on this topic you can contact this link

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s