Windows Managed Service Accounts (MSA)

By | October 22, 2013

All of these commands must be run through the Active Directory module for PowerShell. This can be installed on your workstation using RSAT tools or on the Domain Controller.

First, to create a MSA you must create your root key. With environments that do not have a lot of replication you can leave in the ((Get-Date).AddHours(-10)) to force this happen immediately:

Add-KDSRootKey -EffectiveTime ((Get-Date).AddHours(-10))

Next add the Service account:

New-ADServiceAccount –Name WebMSA –DNSHostname –Passthru

Then add the Computer Service account:

Add-ADComputerServiceAccount –identity Web01 –ServiceAccount WebMSA –Passthru


Set-ADServiceAccount –Identity WebMSA -Passthru

Confirm the account exists:

Get-ADServiceAccount WebMSA

Now you can add the account to your service or to your IIS application pool. If this is Windows Server 2008 or 2008 R2 you must run this command:

Install-ADServiceAccount –Identity Web01 WebMSA

When adding a group MSA a nice little trick is to first create the group (named GroupMSA in this example) then add your members to it.  Once you have done so, to add a New Group Service Account you can run the following command against the group account you created in AD:

New-ADServiceAccount –Name GroupMSA –PrincipalsAllowedToRetrieveManagedPassword MSAComputers -Passthru

You can use the group MSA the same way you use Managed Service Accounts.