Managed Service Accounts (MSAs)
Managed Service Accounts (MSAs) were introduced with Active Directory Domain Services in Windows Server 2008 R2. Managed Service Accounts (MSAs) can be used to run services on domain-joined clients and servers, to address typical service account challenges:
- Service account password changes causes administravite overhead to IT stuff. Organizations also configure service accounts with non-expiring passwords.
- Service accounts can often be used outside the intended scope, for instance send mail through the (authenticated) SMTP gateway.
These account types have limitations:
Location in AD: Managed Service Accounts container
Managed Service Accounts (MSAs) can be configured in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for both automatic password management and SPN management.
Group Managed Service Accounts (gMSAs)
Windows Server 2012 includes the following changes:
– Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS
– Password retrieval limited to authorized computers
The group Managed Service Account solves limitation problems because the account password is managed by Windows Server 2012 domain controllers and can be retrieved by multiple Windows Server 2012 systems. This minimizes the administrative overhead of a service account by allowing Windows to handle password management for these accounts.