- Database and Business Intelligence
- Desktop Management
- Disaster Recovery and High Availability
- Enterprise Application Development
- Identity Management
- IT Automation and Service Management
- IT Management
- IT Monitoring
- Messaging
- Networking
- Security and Compliance
- Storage Management
- Unified Communications
- Virtualization and Application Deployment
- Windows Administration
-
NEED HELP?
-
Visit our FAQ if you run into problems downloading our eBooks. If you are wondering why all of the chapters aren't available for some of the eBooks, we'll explain it here!
-
PAGE FEEDBACK
- Having a problem with this page? Please let us know!
by Greg Shields
We all hate service accounts. Our inner security administrator hates how these accounts aren’t really linked to a human, and how many admins usually know their passwords. Our inner systems administrator hates when password policies lock out these accounts with no warning and when we least expect it. Our inner manager hates how these accounts get spread across network computers, often getting lost or forgotten over a period of years.
Most importantly, our forward-looking visionary yearns for the day when local service accounts can just be linked to a domain account. Accomplishing that, we could change the password for a domain account and rest assured that all its linked local accounts would see the same change.
Well, the future is now when it comes to Windows Server 2008 R2’s new managed service accounts feature. With Windows Server 2008 R2 and Windows 7, all three of these inner IT pros get exactly the service account administration features they’ve long desired.
Managed Service Accounts are a new class of accounts that are available in both of Microsoft’s newest OSs. These two account types link together to create an environment of automatic password management as well as simplified Service Principal Name (SPN) management. With it, you’ll be able to manage your local account passwords everywhere from Active Directory Users and Computers and delegate the administration of account management to other administrators. Here’s the step-by-step you’ll want to use in creating your own managed service accounts.
Step one is to ensure that your AD is operating at the correct Domain Functional level. The Windows Server 2008 R2 Domain Functional Level is required for full automation of all managed service account functionality. See this series’ article on upgrading if you need the details on this process.
Previous OS versions can still make use of managed service accounts. However, environments that have not upgraded will need to manually configure SPN data for each managed service account. Previous versions will also need to install an instance of the Active Directory Management Gateway Service to a domain controller.
Step two is to install a set of prerequisites onto each computer where a managed service account will be used. These components are the .NET Framework (version 3.5 or greater), Windows PowerShell, and the AD module for Windows PowerShell. These components are installed from Server Manager on Windows Server 2008 R2 and from the Turn Windows Features on or off console in Windows 7.
Step three involves actually creating the managed service account in the domain. Managing your managed service accounts is done using Windows PowerShell with the following command:
New-ADServiceAccount –Name
Running this command will create the new account and locate it within the Managed Service Accounts OU in the same domain. Once created, viewing and manipulating the configuration of this account can be done with the following commands:
Get-ADServiceAccount –Identity -property *
Set-ADServiceAccount –Identity [properties]
Step four installs the managed service account created in the previous steps to a local computer for use. This process needs to happen on every computer that will use the managed service account. Use the following command to install the account:
Install-ADServiceAccount –Identity
Once installed, the account can be used for starting services through the Services console using the same process employed for other local accounts. When working with managed service accounts in the Services console, ensure that the account name ends with a dollar sign ($).
Additional information about how to work with these accounts can be found in Microsoft’s Service Accounts Step-by-Step Guide at http://technet.microsoft.com/en-us/library/dd548356(WS.10,printer).aspx.
About the Author
Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.
If you found this tip helpful, consider downloading the following book:
 |
Follow Realtime on Twitter
Watch Realtime on YouTube
Add the Realtime RSS FeedSign up for our Realtime Nexus newsletters and book alerts and discover when new books on your favorite IT topics are available!
- © 2012 Realtime Publishers
- // Google Analytics Tracking