All of these commands must be run through the Active Directory module for PowerShell. This can be installed on your workstation using RSAT tools or on the Domain Controller.
First, to create a MSA you must create your root key. With environments that do not have a lot of replication you can leave in the ((Get-Date).AddHours(-10)) to force this happen immediately:
Add-KDSRootKey -EffectiveTime ((Get-Date).AddHours(-10))
Next add the Service account:
New-ADServiceAccount –Name WebMSA –DNSHostname dc01.kevinfatkin.net –Passthru
Then add the Computer Service account:
Add-ADComputerServiceAccount –identity Web01 –ServiceAccount WebMSA –Passthru
Set-ADServiceAccount –Identity WebMSA -Passthru
Confirm the account exists:
Now you can add the account to your service or to your IIS application pool. If this is Windows Server 2008 or 2008 R2 you must run this command:
Install-ADServiceAccount –Identity Web01 WebMSA
When adding a group MSA a nice little trick is to first create the group (named GroupMSA in this example) then add your members to it. Once you have done so, to add a New Group Service Account you can run the following command against the group account you created in AD:
New-ADServiceAccount –Name GroupMSA –PrincipalsAllowedToRetrieveManagedPassword MSAComputers -Passthru
You can use the group MSA the same way you use Managed Service Accounts.