I’ve been working with Managed Service Accounts over the past week. This post is going to be a repository for information pertaining to Managed Service Accounts (MSAs).

Limitations

• Does not work with Task Scheduler
• Account names must not be longer then 14 characters. MSAs get a $ added automatically, so with a account name that is 14 characters, the total length ends up being 15. If the total length is greater then 15 characters, you will get errors when you try to run Install-AdServiceAccount, as well as when you try to assign the account to a Windows Service.

PowerShell

Create a New MSA

New-ADServiceAccount –Name MSAName -enabled $true  
Add-ADComputerServiceAccount -identity ComputerName –serviceaccount MSAName

This is the simplest usage of New-ADServiceAccount and Add-ADComputerServiceAccount which can be used to create a new MSA and assign it to a specific computer. Remember, the MSA account name you choose here should be no longer then 14 characters.

You then need to run the following command on the client computer

Install-AdServiceAccount –identity MSAName

Get-AdServiceAccount

Get all AD Properties for an existing MSA

Get-AdServiceAccount AccountName -Properties *

Notable properties include the DistinguishedName, HostComputers (where is this MSA registered), PasswordExpire, SID and much more.

Set-ADUser

Add a new Certificate to an existing MSA

Set-ADUser saradavis -Certificates @

Other options include Remove, Replace and Clear. In this example we are setting a cert based on the binary value. Other examples I have seen show using a $cert variable created (or set to) the value of a cert using PowerShell.

Support Usages

• SQL Server 2012
  • Windows Services