Managed Services Account

MSA accounts are a great option if you’re looking for a secure way to run process or scripts under a service account. In this article we’ll walk through the steps required to create an MSA account.

Note, this article will only discuss MSA accounts and not its cousin the gMSA account (Global Managed Service Account). The primary difference between the two account types is how they apply against a set of servers. MSA accounts can only be applied against one server, while gMSA accounts can be used on multiple servers.

Domain Controller Configuration

Starting on the domain controller, open a PowerShell window and run the followings commands. This will create and assign the MSA account to a specific server.

New-ADServiceAccount -Name host01-msa –RestrictToSingleComputer

$Identity = Get-ADComputer -Identity host01
Add-ADComputerServiceAccount -Identity $Identity -ServiceAccount host01-msa

Host Configuration

It’s now time to head onto the server and install the MSA account.

Add-WindowsFeature RSAT-AD-PowerShell

Install-ADServiceAccount -Identity host01-msa

Test-ADServiceAccount host01-msa

Usage

Within the MSAScheduledTask.ps1 script is an example of using an MSA account. Highlighted below is a MSA account, in this case TWOBYTE\host01-msa$, being used to run a script on a set schedule.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Location of Script to run.
$ScriptPath = "\\ad.twobyte.blog\scripts\myscript.ps1"

# Account to run script under. In this case an MSA account.
$LogonAccount = 'TWOBYTE\host01-msa$'

# When the Scheduled Task should run.
$ScheduledDayofWeek = "Tuesday"
$ScheduledTime = "9am"
...

Troubleshooting

If needed, you can use PSExec to run a PowerShell window under the MSA account. Below is the requisite command to start a PowerShell session as the MSA account.

.\PsExec.exe -i -u in\host01-msa$ -p ~ powershell.exe