Managed Service Accounts Frequently Asked Questions (FAQ)

Applies To: Windows 7, Windows Server 2008 R2

The following questions and answers provide important information about using managed service accounts (MSA) with Microsoft server applications.

Two new types of service accounts are available in Windows Server® 2008 R2 and Windows® 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. It is a managed domain accounts that provides automatic password management and simplified SPN management. Virtual accounts are "managed local accounts" that can use a computer's credentials to access network resources.

This topic contains the following information:

  • Installation location of the managed service account

  • How are passwords managed using a managed service account?

  • Supported technologies

Installation and location

Can a managed service account be installed on more than one computer?

No. A managed service account can only be installed on a single computer.

Do managed service accounts work across domain boundaries?

Yes. Although managed service accounts can only be installed on a single computer, they otherwise function just like normal accounts and can access resources across domains if the appropriate Active Directory trusts exist.

Can a managed service account be placed in a security group?

Yes. A managed service account can be placed in a security group just like any other user or computer account.

Where in the directory can I create a managed service account?

The Managed Service Account container in in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in is the default container for managed service account objects. However, they can be stored anywhere in the directory.

How are passwords managed using a managed service account?

Passwords are automatically created for the MSA when the account is created, and refreshed every 30 days. You can change a password manually.

Can the password be updated automatically?

Yes. The default behavior is that the password for the managed service account is automatically updated. However, this can cause a failed authentication attempt because the NTLM and Kerberos security support providers will not recognize the new password. To rectify this problem permanently, install the hot fix as described in the knowledge base article “Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2 (KB 2494158).”

Does a service need to be stopped when a managed service account password is being updated?

No. Managed service accounts were designed to simplify the management of critical applications. A service does not need to be stopped when a managed service account is updated.

Can a managed service account password be reset manually if needed?

Yes. You can use the Reset-ADServiceAccount Windows PowerShell cmdlet to manually reset a managed service account password. You can also reset a managed service account password by using the Nltest.exe command-line tool. For more information about resetting managed service account passwords, see the Service Accounts Step-by-Step Guide.

Supported technologies

Technology Can use MSA Notes

Microsoft Exchange

Yes

Exchange Server does not allow you to send e-mails from a managed service account on behalf of a service or application. To overcome this limitation, use the managed service account to run the service, but create a separate conventional user account for the service and configure the service to send e-mails using this account.

Microsoft IIS

Yes

You can configure IIS application pools to run managed service accounts.

Microsoft SQL Server

No

Task Scheduler

No

Active Directory Lightweight Directory Services (AD LDS)

Yes

Specific procedures are required to enable AD LDS support.

Using managed service accounts with Active Directory Lightweight Directory Services?

To enable Active Directory Lightweight Directory Services (AD LDS) to run under a managed service account, you need to install and configure the managed service account on the computer that will host AD LDS. For basic procedures for installing a managed service account, see the Service Accounts Step-by-Step Guide. After you have installed the managed service account on the computer hosting AD LS, you must complete the following procedure.

To configure a managed service account for AD LDS

  1. Open the PowerShell module for Active Directory Domain Services (AD DS), and run the following cmdlet: Install-ADServiceAccount <ManagedServiceAccountName>.

Note

For information about installing and using the PowerShell module for AD DS, see the Service Accounts Step-by-Step Guide.

  1. Stop the AD LDS service, either by using the Services snap-in console or by running the following cmdlet: Stop-Service ADAM_<InstanceName>.

  2. Grant the managed service account Read and Write permissions to the AD LDS data and log folders and to the directory information tree (DIT) file.

Tip

If this is a typical installation, you will apply these permissions to the folder %ProgramFiles%\Microsoft AD LDS&lt;InstanceName>\data and all files within this folder.

  1. Grant the managed service account Allow permissions to the registry key \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADAM_<InstanceName> and to these subkeys:

    • Query Value

    • Enumerate Subkeys

    • Notify

    • Read Control

  2. Grant the managed service account Full Control permissions to the registry key \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADAM_<InstanceName>\Parameters.

  3. Grant Backup permissions for the managed service account to the Volume Shadow Copy (VSS) service. To do this, go to \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\VssAccessControl, and create a registry entry with $ appended to the account name.

Tip

For example, if the managed service account in domain MyDomain is MyMSA, the registry entry name should be MyDomain\MyMSA$.

  1. Set the value of this registry entry to 1.

Note

For VSS security considerations see Security Considerations for Writers.

  1. Add security audit permissions to the managed service account by following the steps in Event ID 2521 — Auditing.

  2. Select the computer object in AD LDS, and assign Create child and Delete child rights to the managed service account. This allows AD LDS to create service connection point objects.

Note

For more information about service connection point objects and AD LDS, see Administering AD LDS Service Publication.

  1. Open the Services snap-in console, right-click the service to be used with the managed service account, and click Properties.

  2. Click the Log On tab, click This account, and type the name of the managed service account in the format domainname\accountname or click Browse to search for the account. Confirm that the password field is blank, and then click OK.

  3. Start the <InstanceName> service by running Start-Service ADAM_<InstanceName> or by starting the service in the Services snap-in console.

For more information about creating and using managed service accounts, see the Service Accounts Step-by-Step Guide.

Where can I find additional information about managed service accounts?

For more information, see: