Traditionally, system administrators use Active Directory (AD) basic user accounts with limited permissions to run a service (Service Account).

Managed Service Accounts (MSA) are special accounts to eliminate the need for administrators to manually manage the credentials, passwords, and SPNs of traditional service accounts. Also, with MSAs these tasks no longer disrupt a service (no downtime).

Pro
Administration

Automatic password changes. No manual password management.

Availability

No service downtime for password changes.

Security

Frequent password changes. User login to systems via MSA is not possible.

Con
Initial Setup

Initial setup and troubleshooting is more complex for MSAs than with basic user accounts.

Types of managed service accounts

There are three types of managed service accounts.

Virtual Account

Local system account for local services. Access to network resources is only possible via computer identity.

Managed Service Account (MSA)

Active Directory account for generic services.

Group Managed Service Account (gMSA)

Active Directory account for cluster services.

Requirements

Use the PowerShell to work with managed service accounts. Install and import the following module on the system on which you want to use MSAs.

$ Install-WindowsFeature RSAT-AD-PowerShell
$ Import-Module ActiveDirectory

Docs: Remote Server Administration Tools (RSAT) for Windows, ActiveDirectory

Create a managed service account in Active Directory

$ New-ADServiceAccount <account name> -RestrictToSingleComputer

Docs: New-ADServiceAccount

Install a managed service account on a system

Before you can use an MSA, you have to install it on the target system.

$ Install-ADServiceAccount <account name>

You can test the MSA from the system.

$ Test-ADServiceAccount <account name>

True

Now, use the Services console Services.msc to configure a service to use the MSA.

  • Leave the password blank.

  • Ensure that the account name ends with a dollar sign $.

  • Start or restart the service.

Docs: Install-ADServiceAccount, Test-ADServiceAccount

Remove a managed service account

You should remove an MSA from the system if it is no longer needed.

$ Uninstall-ADServiceAccount <account name>

Docs: Uninstall-ADServiceAccount

Reset the password for a managed service account

Active Directory manages MSA passwords automatically. You don’t have to do anything. Should you still have to reset the password manually, you can do so.

$ Reset-ADServiceAccountPassword <account name>

Docs: Reset-ADServiceAccountPassword

Troubleshooting

A service does not start with a managed service account

Confirm that the MSA exists and is enabled in Active Directory.
$ Get-ADServiceAccount <account name>

DistinguishedName : CN=msa-sql01,CN=Managed Service Accounts,DC=example,DC=com
Enabled           : True
Name              : msa-sql01
ObjectClass       : msDS-ManagedServiceAccount
ObjectGUID        : 12345a13-12e3-1c23-b456-a123e123fd78
SamAccountName    : msa-sql01$
SID               : S-1-5-21-1234567890-1234567890-098765432-184195
UserPrincipalName :
Confirm that the account is installed on the system
$ Install-ADServiceAccount <account name>
Confirm that the account has the SeServiceLogonRight permission
$ NTRights +r SeServiceLogonRight –u <account name>

Docs: Get-ADServiceAccount, Install-ADServiceAccount, NTRIGHTS.exe (Windows Server 2003 Resource Kit Tools)