Managed Service Accounts
Thursday, October 4, 2012
I’ve been working with Managed Service Accounts over the past week. This post is going to be a repository for information pertaining to Managed Service Accounts (MSAs).
- Does not work with Task Scheduler
- Account names must not be longer then 14 characters. MSAs get a $ added automatically, so with a account name that is 14 characters, the total length ends up being 15. If the total length is greater then 15 characters, you will get errors when you try to run Install-AdServiceAccount, as well as when you try to assign the account to a Windows Service.
Create a New MSA
New-ADServiceAccount –Name MSAName -enabled $true Add-ADComputerServiceAccount -identity ComputerName –serviceaccount MSAName
This is the simplest usage of New-ADServiceAccount and Add-ADComputerServiceAccount which can be used to create a new MSA and assign it to a specific computer. Remember, the MSA account name you choose here should be no longer then 14 characters.
You then need to run the following command on the client computer
Install-AdServiceAccount –identity MSAName
Get all AD Properties for an existing MSA
Get-AdServiceAccount AccountName -Properties *
Notable properties include the DistinguishedName, HostComputers (where is this MSA registered), PasswordExpire, SID and much more.
Add a new Certificate to an existing MSA
Set-ADUser saradavis -Certificates @
Other options include Remove, Replace and Clear. In this example we are setting a cert based on the binary value. Other examples I have seen show using a $cert variable created (or set to) the value of a cert using PowerShell.
- SQL Server 2012
- Windows Services