Windows Managed Services Accounts

Prerequisites

• Windows 2008R2 or later

Use

The following account types are supported:

• Stand-alone Managed Service Accounts (sMSA) link a managed service account to a single domain joined machine. This is available for Windows domain controllers running Windows Server 2008R2 onwards.
• Group Managed Service Accounts (gMSA) link a managed service account to a group of domain joined machines. This is available for Windows domain controllers running Windows Server 2012R2 onwards.

Once the Managed Service Account (MSA) has been set up on the domain controller, and then verified using the PowerShell cmdlet Test-ADServiceAccount on the domain joined boxes where the Windows processes will be run, follow these steps:

1. Create a login credential for the MSA you will use for Windows processes. The password should be specified as the tilde character (~). This is identical to the psexec syntax and informs the Windows Platform Agent that for this credential the actual password should be obtained from Active Directory.
2. Run a Windows process specifying the MSA as the RunASUser field, (for example, domain\msa$).

Note: You cannot use Managed Service Accounts with Windows agentless processes.