Managed Service Accounts (MSA)

Using a MSA takes five steps:

If using a workstation: Add-WindowsFeature -Name RSAT-AD-Powershell

  1. Add Key Distribution Center Root Key (one time operation per domain)
  2. You create the MSA in AD.
  3. You associate the MSA with a computer in AD.
  4. You install the MSA on the computer that was associated.
  5. You configure the service(s) to use the MSA.

1. KDCRootKey

1
2
Import-Module activedirectory
Add-KdsRootKey -effectivetime((get-date).addhours(-10))

2. Account Creation

1
2
Import-Module activedirectory
New-ADServiceAccount <serviceaccount> RestrictToSingleComputer

3. Account Association

1
2
Import-Module activedirectory
Add-ADComputerServiceAccount -Identity <computer> -ServiceAccount <serviceaccount>

4. Account Installation

1
2
Import-Module activedirectory
Install-ADServiceAccount -Identity <serviceaccount>

5. Service Configuration

You configure the MSA as you would configure any virtual service account (eg. DOMAIN\ServiceAccount$), without specifying a password.

Group Managed Service Accounts (gMSA)

gMSA behave just like a MSA. The primary difference is that you can associate further devices with the account, not just a single device. You do so by allowing the device access and then repeating the association process on each endpoint you want to be associated with the gMSA.

1. Account Creation

1
2
Import-Module activedirectory
New-ADServiceAccount <serviceaccount> dnshostname <domaincontroller>

2. Account Association (once per endpoint)

1
2
Import-Module activedirectory
Set-ADServiceAccount -Identity <serviceaccount> -PrincipalsAllowedToRetrieveManagedPassword <endpoint1>

3. Account Installation (once per endpoint)

1
2
Import-Module activedirectory
Install-ADServiceAccount -Identity <serviceaccount>