Introducing Managed Service Accounts
Updated: June 23, 2011
Applies To: Windows 7, Windows Server 2008 R2
This product evaluation article written for the IT professional describes a new feature to manage service accounts in Windows 7 and Windows Server 2008 R2 to help you maintain and secure your IT environment.
One of the security challenges for critical network applications is selecting the appropriate type of account for the application to run as:
On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use, but they are typically shared among multiple applications and services and cannot be managed on a domain level.
If you configure the application to use a domain account, you can isolate the privileges for the application. However, you need to manually manage passwords or create a custom solution for managing these passwords.
Overview of the managed service account
The managed service account is designed to provide applications such as SQL Server or Exchange with:
Automatic password management, which can better isolate these services from other services on the computer.
Important The default password refresh behavior for the managed service account is to be automatically updated every 30 days. However, this can cause a failed authentication attempt because the NTLM and Kerberos security support providers will not recognize the new password. To rectify this problem permanently, install the hot fix as described in the knowledge base article “Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2 (KB 2494158).”
Simplified service principal name (SPN) management, which allows service administrators to set SPNs on these accounts. In addition, SPN management can be delegated to other administrators.
To configure and manage these accounts for a service running on Windows 7 or Windows Server 2008 R2, you will need to use Windows PowerShell cmdlets. There is no UI support for creating and managing these accounts.
Service accounts are also supported on Windows Server 2003 and Windows Server 2008 domain controllers. For information about these requirements and additional configuration steps, see Managed Service Accounts Step-by-Step Guide.