Managed Service Accounts Frequently Asked Questions (FAQ)
Applies To: Windows 7, Windows Server 2008 R2
The following questions and answers provide important information about using managed service accounts (MSA) with Microsoft server applications.
Two new types of service accounts are available in Windows Server® 2008 R2 and Windows® 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. It is a managed domain accounts that provides automatic password management and simplified SPN management. Virtual accounts are "managed local accounts" that can use a computer's credentials to access network resources.
This topic contains the following information:
Installation location of the managed service account
How are passwords managed using a managed service account?
Supported technologies
No. A managed service account can only be installed on a single computer.
Yes. Although managed service accounts can only be installed on a single computer, they otherwise function just like normal accounts and can access resources across domains if the appropriate Active Directory trusts exist.
Yes. A managed service account can be placed in a security group just like any other user or computer account.
The Managed Service Account container in in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in is the default container for managed service account objects. However, they can be stored anywhere in the directory.
Passwords are automatically created for the MSA when the account is created, and refreshed every 30 days. You can change a password manually.
Yes. The default behavior is that the password for the managed service account is automatically updated. However, this can cause a failed authentication attempt because the NTLM and Kerberos security support providers will not recognize the new password. To rectify this problem permanently, install the hot fix as described in the knowledge base article “Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2 (KB 2494158).”
No. Managed service accounts were designed to simplify the management of critical applications. A service does not need to be stopped when a managed service account is updated.
Yes. You can use the Reset-ADServiceAccount Windows PowerShell cmdlet to manually reset a managed service account password. You can also reset a managed service account password by using the Nltest.exe command-line tool. For more information about resetting managed service account passwords, see the Service Accounts Step-by-Step Guide.
Technology | Can use MSA | Notes |
---|---|---|
Microsoft Exchange |
Yes |
Exchange Server does not allow you to send e-mails from a managed service account on behalf of a service or application. To overcome this limitation, use the managed service account to run the service, but create a separate conventional user account for the service and configure the service to send e-mails using this account. |
Microsoft IIS |
Yes |
You can configure IIS application pools to run managed service accounts. |
Microsoft SQL Server |
No |
|
Task Scheduler |
No |
|
Active Directory Lightweight Directory Services (AD LDS) |
Yes |
Specific procedures are required to enable AD LDS support. |
To enable Active Directory Lightweight Directory Services (AD LDS) to run under a managed service account, you need to install and configure the managed service account on the computer that will host AD LDS. For basic procedures for installing a managed service account, see the Service Accounts Step-by-Step Guide. After you have installed the managed service account on the computer hosting AD LS, you must complete the following procedure.
- Open the PowerShell module for Active Directory Domain Services (AD DS), and run the following cmdlet: Install-ADServiceAccount <ManagedServiceAccountName>.
Note
For information about installing and using the PowerShell module for AD DS, see the Service Accounts Step-by-Step Guide.
Stop the AD LDS service, either by using the Services snap-in console or by running the following cmdlet: Stop-Service ADAM_<InstanceName>.
Grant the managed service account Read and Write permissions to the AD LDS data and log folders and to the directory information tree (DIT) file.
Tip
If this is a typical installation, you will apply these permissions to the folder %ProgramFiles%\Microsoft AD LDS<InstanceName>\data and all files within this folder.
Grant the managed service account Allow permissions to the registry key \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADAM_<InstanceName> and to these subkeys:
Query Value
Enumerate Subkeys
Notify
Read Control
Grant the managed service account Full Control permissions to the registry key \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADAM_<InstanceName>\Parameters.
Grant Backup permissions for the managed service account to the Volume Shadow Copy (VSS) service. To do this, go to \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\VssAccessControl, and create a registry entry with $ appended to the account name.
Tip
For example, if the managed service account in domain MyDomain is MyMSA, the registry entry name should be MyDomain\MyMSA$.
- Set the value of this registry entry to 1.
Note
For VSS security considerations see Security Considerations for Writers.
Add security audit permissions to the managed service account by following the steps in Event ID 2521 — Auditing.
Select the computer object in AD LDS, and assign Create child and Delete child rights to the managed service account. This allows AD LDS to create service connection point objects.
Note
For more information about service connection point objects and AD LDS, see Administering AD LDS Service Publication.
Open the Services snap-in console, right-click the service to be used with the managed service account, and click Properties.
Click the Log On tab, click This account, and type the name of the managed service account in the format domainname\accountname or click Browse to search for the account. Confirm that the password field is blank, and then click OK.
Start the <InstanceName> service by running Start-Service ADAM_<InstanceName> or by starting the service in the Services snap-in console.
For more information about creating and using managed service accounts, see the Service Accounts Step-by-Step Guide.
For more information, see:
KB 2494158: Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2.