How to Configure Windows Server 2016 Managed Service Accounts

Managed Service Accounts (MSAs) were introduced in Windows Server 2008 R2 to address the administrative overhead of managing service account passwords. In Windows Server 2016, MSAs continue to provide automatic password management and simplified Service Principal Name (SPN) management for services running on a single computer. Unlike traditional service accounts, the domain controller automatically rotates the MSA password every 30 days, eliminating the risk of stale credentials and reducing administrative burden.

MSAs have one important limitation: they can only be used on a single computer. If you need to run a service across multiple servers, such as in a failover cluster or load-balanced farm, you must use Group Managed Service Accounts (gMSAs) instead. This tutorial covers standalone MSAs suitable for services running on a single Windows Server 2016 host.

Step 1: Verify Domain Functional Level

MSAs require a domain functional level of Windows Server 2008 R2 or higher. Verify the current domain functional level using PowerShell:

Get-ADDomain | Select-Object DomainMode

If the domain functional level is below Windows 2008 R2, raise it before proceeding. Ensure all domain controllers are running Windows Server 2008 R2 or later first.

Step 2: Install the Active Directory Module

MSAs are created and managed using the Active Directory PowerShell module. On the domain controller or management workstation, import the module:

Import-Module ActiveDirectory

If the module is not installed, add the Remote Server Administration Tools feature:

Install-WindowsFeature -Name RSAT-AD-PowerShell

Step 3: Create the Managed Service Account

Use the New-ADServiceAccount cmdlet to create a new MSA. The account is automatically placed in the Managed Service Accounts container in Active Directory.

New-ADServiceAccount -Name "msa_webservice" `
    -DNSHostName "webserver01.yourdomain.com" `
    -Description "MSA for IIS Web Service on webserver01"

The DNSHostName parameter associates the MSA with a specific computer. The password is managed automatically and is not set by the administrator.

Step 4: Install the MSA on the Target Computer

Before the MSA can be used on a computer, it must be installed on that host. Run the following command on the domain controller to associate the MSA with the target computer account:

Add-ADComputerServiceAccount -Identity "webserver01" -ServiceAccount "msa_webservice"

Then, on the target server (webserver01), install the MSA to retrieve the credentials from the domain controller:

Install-ADServiceAccount -Identity "msa_webservice"

Step 5: Verify the MSA Installation

After installation, verify that the MSA is correctly installed and functioning on the target computer:

Test-ADServiceAccount -Identity "msa_webservice"

A result of True confirms the MSA is correctly installed and the computer can retrieve the managed password from Active Directory.

Step 6: Configure the Service to Use the MSA

To configure a Windows service to run under the MSA, open Services.msc, right-click the service, and select Properties. On the Log On tab, select This account and enter the account name in the format DOMAINmsa_webservice$. Note the trailing dollar sign, which is required for all service accounts managed by AD.

Leave the password fields blank — the system manages the password automatically.

Using PowerShell to configure a service:

sc.exe config "W3SVC" obj= "YOURDOMAINmsa_webservice$" password= ""

Step 7: Configure SPNs for the MSA

If the service requires Kerberos authentication, you need to register a Service Principal Name (SPN) for the MSA. For IIS, SPNs are typically registered for the HTTP service class:

Set-ADServiceAccount -Identity "msa_webservice" -ServicePrincipalNames @{Add="HTTP/webserver01.yourdomain.com", "HTTP/webserver01"}

Verify the SPNs were registered correctly:

Get-ADServiceAccount -Identity "msa_webservice" -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames

Step 8: Grant Required Permissions

Like any service account, the MSA should be granted only the minimum permissions required. Use the MSA name with the trailing dollar sign when assigning permissions to local resources:

icacls "C:inetpubwwwroot" /grant "YOURDOMAINmsa_webservice$:(OI)(CI)RX"

Step 9: Monitor and Maintain the MSA

Use PowerShell to review all MSAs in the domain and their associated computers:

Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword, HostComputers |
Select-Object Name, HostComputers, Enabled | Format-Table -AutoSize

Managed Service Accounts significantly reduce the security risk associated with static service account passwords. By delegating password management to Active Directory, you eliminate the most common cause of service disruptions from expired credentials and ensure that service account passwords are regularly rotated according to domain policy.