How to Configure Managed Service Accounts on Windows Server 2012 R2

Managed Service Accounts (MSAs) were introduced in Windows Server 2008 R2 to address the operational challenges of managing traditional service account passwords. An MSA is a special type of domain account whose password is automatically managed by Active Directory — the password is a 240-character complex string that rotates every 30 days by default. MSAs eliminate the need for administrators to manually rotate service account passwords and update service configurations. The key limitation of standard MSAs is that they are bound to a single computer — they cannot be used on multiple servers simultaneously. For multi-server scenarios, Group Managed Service Accounts (gMSAs) are the solution. This guide covers the configuration and use of standard Managed Service Accounts on Windows Server 2012 R2.

Prerequisites

Standard Managed Service Accounts require the following:

The domain functional level must be at least Windows Server 2008 R2. The service host computer must be running Windows Server 2008 R2 or Windows 7 or later. Domain Admin rights are required to create MSAs. The ActiveDirectory module must be available on the management computer.

Import-Module ActiveDirectory

Creating a Managed Service Account

MSAs are created in AD using New-ADServiceAccount and are stored in the Managed Service Accounts container (CN=Managed Service Accounts,DC=domain,DC=com) by default:

# Create a Managed Service Account
New-ADServiceAccount `
    -Name "msa-sqlsvc" `
    -DNSHostName "SQLDB01.contoso.com" `
    -Description "MSA for SQL Server service on SQLDB01" `
    -Path "CN=Managed Service Accounts,DC=contoso,DC=com"

The -DNSHostName parameter associates the MSA with a specific host. This is important because only the specified computer can retrieve the MSA’s password from AD.

Associating the MSA with a Computer

Before the MSA can be used on a computer, the computer account must be added as a principal allowed to retrieve the MSA’s managed password:

# Associate the MSA with the computer that will use it
Add-ADComputerServiceAccount -Identity "SQLDB01" -ServiceAccount "msa-sqlsvc"

# Verify the association
Get-ADComputer -Identity "SQLDB01" -Properties ServiceAccount |
    Select-Object Name, ServiceAccount

Installing the MSA on the Host Computer

On the computer that will run the service, install the MSA by running the Install-ADServiceAccount cmdlet. This downloads the MSA’s credentials and installs them in the local credential store. This step must be run on the actual service host computer, or remotely using PowerShell remoting:

# Run on the service host computer (SQLDB01) or via remoting
Invoke-Command -ComputerName "SQLDB01" -ScriptBlock {
    Import-Module ActiveDirectory
    Install-ADServiceAccount -Identity "msa-sqlsvc"
    
    # Test the MSA installation
    Test-ADServiceAccount -Identity "msa-sqlsvc"
}

If Test-ADServiceAccount returns $true, the MSA is correctly installed and the computer can authenticate using it.

Configuring a Windows Service to Use an MSA

To configure a Windows service to run under an MSA, use the service name format DOMAINAccountName$ (note the trailing dollar sign) with a blank password. The MSA password is managed automatically by the system — you do not provide a password:

# Configure a service to run under the MSA
# Use SC.exe on the service host
sc.exe config SQLAgent obj= "CONTOSOmsa-sqlsvc$" password= ""

# Or use PowerShell via WMI
Invoke-Command -ComputerName "SQLDB01" -ScriptBlock {
    $svc = Get-WmiObject Win32_Service -Filter "Name='SQLServerAgent'"
    $result = $svc.Change(
        $null,$null,$null,$null,$null,$null,
        "CONTOSOmsa-sqlsvc$",  # Service account
        "",                      # Empty password — managed by AD
        $null,$null,$null
    )
    if ($result.ReturnValue -eq 0) {
        Write-Host "Service account updated successfully"
        Restart-Service SQLServerAgent
    } else {
        Write-Warning "Failed: return value $($result.ReturnValue)"
    }
}

Configuring Scheduled Tasks to Use an MSA

MSAs can also be used for scheduled tasks, which is a common use case for batch jobs and maintenance scripts:

# Create a scheduled task using an MSA
Invoke-Command -ComputerName "SQLDB01" -ScriptBlock {
    $action = New-ScheduledTaskAction `
        -Execute "PowerShell.exe" `
        -Argument "-NonInteractive -File C:ScriptsBackupJob.ps1"
    
    $trigger = New-ScheduledTaskTrigger -Daily -At "2:00AM"
    
    $principal = New-ScheduledTaskPrincipal `
        -UserID "CONTOSOmsa-sqlsvc$" `
        -LogonType Password `
        -RunLevel Highest
    
    Register-ScheduledTask `
        -TaskName "SQL-BackupJob" `
        -Action $action `
        -Trigger $trigger `
        -Principal $principal `
        -Description "Automated SQL backup using MSA"
}

Configuring SPNs for MSAs

If the service needs Kerberos authentication, register the appropriate SPNs on the MSA account. SPNs on MSAs follow the same rules as regular service accounts:

# Register SPNs on the MSA
Set-ADServiceAccount -Identity "msa-sqlsvc" -ServicePrincipalNames @{
    Add = "MSSQLSvc/SQLDB01.contoso.com:1433","MSSQLSvc/SQLDB01.contoso.com"
}

# Verify SPNs
Get-ADServiceAccount -Identity "msa-sqlsvc" -Properties ServicePrincipalNames |
    Select-Object -ExpandProperty ServicePrincipalNames

Password Management and Rotation

The password for an MSA is automatically rotated by the DC every 30 days. The service host retrieves the new password at the next password change interval. There is no action required by administrators for routine password rotation. In emergency scenarios where you need to force an immediate password reset:

# Reset the MSA password (forces rotation on next retrieval)
Reset-ADServiceAccountPassword -Identity "msa-sqlsvc"

# After resetting, reinstall on the host to pull the new password
Invoke-Command -ComputerName "SQLDB01" -ScriptBlock {
    Import-Module ActiveDirectory
    Install-ADServiceAccount -Identity "msa-sqlsvc"
}

Removing an MSA

# Uninstall from the host first
Invoke-Command -ComputerName "SQLDB01" -ScriptBlock {
    Import-Module ActiveDirectory
    Uninstall-ADServiceAccount -Identity "msa-sqlsvc"
}

# Remove the computer association
Remove-ADComputerServiceAccount -Identity "SQLDB01" -ServiceAccount "msa-sqlsvc"

# Delete the MSA from AD
Remove-ADServiceAccount -Identity "msa-sqlsvc" -Confirm:$false

Auditing and Listing MSAs

# List all MSAs in the domain
Get-ADServiceAccount -Filter {ObjectClass -eq "msDS-ManagedServiceAccount"} `
    -Properties HostComputers, ServicePrincipalNames, PasswordLastSet |
    Select-Object Name, HostComputers, PasswordLastSet,
    @{N="SPNs";E={$_.ServicePrincipalNames -join ";"}}

# Check if MSA is installed on a specific computer
Get-ADComputer -Identity "SQLDB01" -Properties ServiceAccount

Summary

Managed Service Accounts on Windows Server 2012 R2 eliminate manual password management for service accounts on individual servers. The automatic 30-day password rotation managed by Active Directory removes a significant operational and security burden. MSAs are ideal for services running on a single host. The creation workflow involves creating the MSA, associating it with the computer account, installing it on the host, and configuring the service to use the MSA with a blank password entry. For services spanning multiple servers (load-balanced web farms, SQL clusters), Group Managed Service Accounts are the appropriate solution.