Managed Service Accounts
Windows Server 2008 R2 and Windows 7 have two new types of service accounts called Manage Service Accounts (MSA) and Virtual Accounts. These make long term management of service account users, passwords and SPNs much easier.
Consider the environment at OrcsWeb. As a PCI Compliant hosting company, we need to change all security related passwords every 3 months. This is a substantial undertaking each time because of hundreds of passwords spread throughout our enterprise. We have scripts and tools and manual steps, causing us to groan each time we get our password change reminder at the beginning of the new quarter. Even non-PCI compliant companies have the need to manage passwords for service accounts.
Now, imagine if the effort of changing passwords on each of the service accounts was completely eliminated, without any security risk! That’s what Managed Service Accounts allows (too bad service accounts weren’t the only type of password that we have to manage).
Essentially, Active Directory takes care of the password and SPN management for us, allowing us to create accounts, assign them to a Windows Service, and never require us to update the password again.
Hello World
I find that getting the first ‘hello world’ working is oftentimes the most difficult, so in this blog I want to cover an end-to-end walkthrough of a simple configuration.
Environment
Windows 7 is also supported as a member computer, and you can run this with a Windows Server 2008 or 2003 Domain by installing the Active Directory Management Gateway Service and running adprep /domainprep. See the Step-by-Step Guide for more details about that.
Pre-requisites (for a pure Windows Server 2008 R2 environment)
The domain server will have everything necessary. PowerShell 2.0 is installed with R2 by default and the management tools are already installed.
The member server or computer will need to have the Active Directory PowerShell Snap-in enabled.
To do this from Windows Server 2008 R2, perform the following:
- Open Server Manager
- Click “Features and Add Feature”
- Add the “Active Directory module for Windows PowerShell” in /Remote Server Administration Tools/AD DS and AD LDS Tools.
You might also like
Job seeker uses billboard across from Kitchener's Google office to stand out .. — MetroNews Canada
Brumwell-worked in the information technology and project management fields in recent years for companies including Enbridge. Much of his work in the past five years has been on contract, leading him to want to seek out something more permanent.
Low-tech billboard gets high-tech attention — OurWindsor.ca
Brumwell worked in the information technology and project management fields in recent years for companies including Enbridge. Much of his work in the past five years has been on contract, leading him to want to seek out something more permanent.
A privilege to sharing the joy of music — BDlive
Now he teaches the same instrument as part of his work with Buskaid, although he dreams of starting his own project management business "with a few friends", information technology and project management being what he studied after finishing school.
Q&A
What services does a Managed Forex Account provide?
One of the benefits of this type of account is you let your money work for you, all you need to do is make a deposit and watch the it grow. You also have complete control of your funds with this type of account it is worth considering. The biggest advantage of this account is your money is available for you when you want it.
