Managed Service Accounts

A common issue that pops up is deciding which service account to use for a specific application or service .  What is the best practice for creating and using service accounts to operate Windows services and applications?

Microsoft has resolved this issue with the MSA (Managed Service Account) in Windows 2008 R2.  


     1.  Create the MSA in AD using the AD nodule for PowerShell:

          New-ADServiceAccount -Name [MSA account name] -Enabled $true

   2. Associate the MSA to a computer:

          Add-ADComputerServiceAccount -Identity [AD Computer Account] -ServiceAccount

     3.  Install the MSA on the associated computer:


          Install-ADServiceAccount -Identity [MSA Account]

     4.   Associate the new MSA with the service.

          Services.MSC → Edit Service Properties
           → Edit "Log On" Tab.

     * Use domain\MSA format
     * Do no enter a password.
   

http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx


http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx