How To Configure Managed Service Accounts

Share This:

Managed Service Accounts (MSAs) are a powerful way to securely manage service accounts in a Windows domain. MSAs provide administrators with a convenient way to manage the passwords, SPN, and delegation of service accounts while ensuring that the passwords are automatically changed periodically without requiring any user intervention.

MSAs are ideal for applications that require secure authentication, such as web servers and databases. By using an MSA, administrators can ensure that the credentials used by services are kept up-to-date without having to manually update them. It also eliminates the need for shared accounts and reduces the risk of password theft or misuse.

To create an MSA, you will first need to set up a Key Distribution Service Root Key (KdsRootKey) on your Domain Controller (DC). This is done by using the Active Directory module for PowerShell. Once this is completed, you will be able to create MSAs with unique passwords for each service account. You can then assign permissions to these accounts and delegate management of them as needed.

When setting up MSAs, it’s important to remember that they cannot be used for interactive logon or remote access services. Additionally, MSAs can only be used on computers joined to the same domain as their associated users and groups.

Overall, MSAs are an invaluable tool for managing service accounts in Windows domains. They eliminate the need for manual password updates, reduce the risk of password theft or misuse and simplify SPN management tasks. With MSAs, administrators can have peace of mind knowing that their services have secure credentials that can be managed easily and efficiently.

The Benefits of Using Managed Service Accounts

Managed Service Accounts (MSAs) are an Active Directory service that provides secure, automatic password management and simplified SPN management for services running on Windows Server. They are designed to securely manage the credentials of services running on multiple servers with no additional administrative effort. MSAs make it easier to deploy and manage services in a secure environment by eliminating the need to manually manage passwords and SPNs associated with each service account. MSAs also allow administrators to delegate the management of MSA accounts to other administrators while still maintaining full control over their security settings. In addition, MSAs enable services to authenticate across multiple domains without needing manual configuration or additional infrastructure components.

managed service accounts

Difference Between Service Accounts and Managed Service Accounts

Service accounts and managed service accounts are both user accounts that can be used to run a particular service or software. However, the key difference between these two types of accounts is that managed service accounts have an automated process for changing the password of the account on a set schedule. This eliminates the need for an administrator to manually update the password, making it more secure and reliable than a regular service account. Additionally, managed service accounts are typically configured to not expire, whereas regular service accounts usually have an expiration date associated with them.

Creating an MSA Account

Creating an MSA (Managed Service Account) account requires the use of the Active Directory module for PowerShell.

First, you need to create a Key Distribution Service Root Key (KdsRootKey). This is necessary because Domain Controllers (DCs) need a root key to begin generating gMSA passwords. To do this, open PowerShell as an administrator and run the following command:
New-KdsRootKey -EffectiveTime ((get-date).AddHours(-10))
This will create a new KdsRootKey with an effective time of 10 hours in the past. Once this is done, you can proceed with creating the MSA account.

Next, create a new MSA using the following command:
New-ADServiceAccount -Name -DNSHostName -Enabled $true
Replace with your desired name for the account and with your fully qualified domain name. This will create a new MSA with its password set to Never Expire.

Finally, you need to configure the permissions for the new MSA. To do this, use the Set-ADServiceAccount command to grant it access to specific resources:
Set-ADServiceAccount –Identity –PrincipalsAllowedToRetrieveManagedPassword
Replace with your chosen name and add any groups or users who will be allowed to retrieve their password in place. This will grant them permission to retrieve and reset the managed password associated with your new MSA account.
Once these steps are complete, you have successfully created an MSA account!

The Difference Between Managed Services and SaaS

No, managed services and SaaS are not the same. While SaaS provides companies with cloud-based software and associated benefits, managed services provide additional support by handling both networking and hardware requirements. Managed services can include IT support, help desk services, application maintenance, disaster recovery planning, data backups, and more. With managed services, companies can benefit from increased efficiency while also reducing their IT costs. Ultimately, the choice between SaaS and managed services depends on your business needs – both can help reduce costs while increasing performance.

Using Managed Service Accounts

Managed Service Accounts (MSAs) are a type of user account that is used to run services on Windows Server. They provide an easy way to manage services with an automated password management system, allowing you to avoid the hassle and security risks of manual password management. MSAs can be used on any Windows Server operating system and are also available in Azure Active Directory.

To use an MSA, begin by creating an account in Active Directory (AD). You then need to associate the MSA with a computer in AD. After this is done, install the MSA on the computer and configure the service(s) that will use it. When the service(s) are configured, they will use the MSA’s automatically-managed credentials for authentication and authorization purposes.

Keep in mind that when using MSAs, you should ensure that all service accounts have unique passwords so that they cannot be accessed by unauthorized users. Additionally, set up alerts or notifications when passwords expire or need to be changed. This will help keep your systems secure and prevent any potential issues from arising due to outdated credentials.

Advantages of Managed Service Accounts

Managed Service Accounts (MSAs) provide a convenient way to securely manage services that are running on multiple computers. They offer several advantages over traditional user accounts, including automatic password management, simplified service principal name (SPN) management, and the inability to interactively log into Windows. In addition, MSAs allow administrators to easily control which computers are authorized to authenticate MSAs and run code in their context. This helps ensure that only trusted systems can access sensitive data or perform privileged tasks.

Limitations of Managed Service Accounts

Managed Service Accounts (MSAs) are a type of Active Directory account that provides enhanced security and manageability for applications running on Windows Server. MSAs are designed to be used with applications that require a single, dedicated account to run services or access resources.

The main limitation of MSAs is that they can only be used on one domain server at a time, so if you need to use the same MSA across multiple servers, you’ll have to set up separate accounts for each one. Additionally, because MSAs are managed by the computer, if the computer is ever replaced or removed from the domain, the MSA will no longer function correctly.

Finally, MSAs can only be used with certain types of services and applications. For example, they cannot be used with Windows services such as IIS or DHCP. They also cannot be used for interactive logins or remote desktop sessions.


In conclusion, managed service accounts (MSAs) are a great way to improve password security and simplify service principal name (SPN) management. MSAs provide automatic password management, meaning that the password of the service account is automatically changed periodically without administrator interaction. Furthermore, MSAs can be delegated to other administrators for easier management. To create an MSA, you need to generate a Key Distribution Service Root Key using the Active Directory module for PowerShell. By using MSAs, you can improve your security and have more control over who has access to your services accounts.

Share This:
Photo of author

James Walker

James Walker has a deep passion for technology and is our in-house enthusiastic editor. He graduated from the School of Journalism and Mass Communication, and loves to test the latest gadgets and play with older software (something we’re still trying to figure out about himself). Hailing from Iowa, United States, James loves cats and is an avid hiker in his free time.