Traditionally, system administrators use Active Directory (AD) basic user accounts with limited permissions to run a service (Service Account).

Managed Service Accounts (MSA) are special accounts to eliminate the need for administrators to manually manage the credentials, passwords, and SPNs of traditional service accounts. Also, with MSAs these tasks no longer disrupt a service (no downtime).


Automatic password changes. No manual password management.


No service downtime for password changes.


Frequent password changes. User login to systems via MSA is not possible.

Initial Setup

Initial setup and troubleshooting is more complex for MSAs than with basic user accounts.

Types of managed service accounts

There are three types of managed service accounts.

Virtual Account

Local system account for local services. Access to network resources is only possible via computer identity.

Managed Service Account (MSA)

Active Directory account for generic services.

Group Managed Service Account (gMSA)

Active Directory account for cluster services.


Use the PowerShell to work with managed service accounts. Install and import the following module on the system on which you want to use MSAs.

$ Install-WindowsFeature RSAT-AD-PowerShell
$ Import-Module ActiveDirectory

Create a managed service account in Active Directory

$ New-ADServiceAccount <account name> -RestrictToSingleComputer

Install a managed service account on a system

Before you can use an MSA, you have to install it on the target system.

$ Install-ADServiceAccount <account name>

You can test the MSA from the system.

$ Test-ADServiceAccount <account name>


Now, use the Services console Services.msc to configure a service to use the MSA.

  • Leave the password blank.

  • Ensure that the account name ends with a dollar sign $.

  • Start or restart the service.

Remove a managed service account

You should remove an MSA from the system if it is no longer needed.

$ Uninstall-ADServiceAccount <account name>

Reset the password for a managed service account

Active Directory manages MSA passwords automatically. You don’t have to do anything. Should you still have to reset the password manually, you can do so.

$ Reset-ADServiceAccountPassword <account name>


A service does not start with a managed service account

Confirm that the MSA exists and is enabled in Active Directory.
$ Get-ADServiceAccount <account name>

DistinguishedName : CN=msa-sql01,CN=Managed Service Accounts,DC=example,DC=com
Enabled           : True
Name              : msa-sql01
ObjectClass       : msDS-ManagedServiceAccount
ObjectGUID        : 12345a13-12e3-1c23-b456-a123e123fd78
SamAccountName    : msa-sql01$
SID               : S-1-5-21-1234567890-1234567890-098765432-184195
UserPrincipalName :
Confirm that the account is installed on the system
$ Install-ADServiceAccount <account name>
Confirm that the account has the SeServiceLogonRight permission
$ NTRights +r SeServiceLogonRight –u <account name>