Administrators can set an MSA password to a known value, although there’s ordinarily no justifiable reason (and they can be reset on demand more on this later).Īll Managed Service Accounts are created (by default) in the new CN=Managed Service Accounts, DC=, DC= container. MSA’s cannot be locked out, and cannot perform interactive logons. MSA’s use a complex, automatically generated password (240 bytes, which is 120 characters, and cryptographically random). MSA’s, like computers, do not observe domain or fine-grained password policies. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetLogonParametersĭisablePasswordChange = This can be controlled - just like a computer’s password - with the following two DWORD values: So, the MSA account password is updated when the computer updates its password ( every 30 days by default ). An MSA is a quasi-computer object that utilizes the same password update mechanism used by computer objects. MSA objects do not contain new attributes from the Win2008 R2 schema update.Īnd this leads me to how MSA’s handle passwords – it’s pretty clever. MSA’s inherit from a parent object class of “Computer”, but they are also users. But it does not have an object class of person like a computer account typically would instead it has msDS-ManagedServiceAccount. The object is a user and a computer at the same time, just like a computer account. Create an MSA, examine its objectClass attribute, and notice the object has an interesting object class inheritance structure: The Windows Server 2008 R2 AD Schema introduces a new object class called msDS-ManagedServiceAccount. Troubleshoot a few common issues with MSA’s.This means that an MSA can run services on a computer in a secure and easy to maintain manner, while maintaining the capability to connect to network resources as a specific user principal. That account has its own complex password and is maintained automatically. MSA’s allow you to create an account in Active Directory that is tied to a specific computer. One of the more interesting new features of Windows Server 2008 R2 and Windows 7 is Managed Service Accounts. Please use this updated link for more current information. Group Managed Service Accounts superseded MSAs, which in Windows 7 and Windows Server 2008 R2 (both no longer supported). First published on TechNet on Sep 10, 2009
0 Comments
Leave a Reply. |