Windows Managed Services Accounts
Prerequisites
- Windows 2008R2 or later
Use
The following account types are supported:
- Stand-alone Managed Service Accounts (sMSA) link a managed service account to a single domain joined machine. This is available for Windows domain controllers running Windows Server 2008R2 onwards.
- Group Managed Service Accounts (gMSA) link a managed service account to a group of domain joined machines. This is available for Windows domain controllers running Windows Server 2012R2 onwards.
Once the MSA has been set up on the domain controller, and then verified using the PowerShell cmdlet Test-ADServiceAccount on the domain joined boxes where the Windows processes will be run, follow these steps:
- Create a login credential for the MSA you will use for Windows processes. The password should be specified as the tilde character (
~). This is identical to thepsexecsyntax and informs the Windows Platform Agent that for this credential the actual password should be obtained from Active Directory. - Run a Windows process specifying the MSA as the
RunASUserfield, for exampledomain\msa$
Caveats
You cannot use Managed Service Accounts with Windows agentless processes.