Utilizing Managed Service Accounts for Lync Server

Active Directory 2008 R2 introduced a new type of service account known as a managed service account. Managed service accounts work like computer accounts in Active Directory. That is to say, they automatically rotate their passwords every 30 days, and they cannot be used by a person to interactively log in to a computer system. Managed service accounts are exceptionally useful for applications that require named accounts and have a need for heightened security.

To create a managed service account in Active Directory, you must use PowerShell:

1. Click Start, Administrative Tools, and Active Directory Module for Windows PowerShell.

2. Type New-ADServiceAccount MSAName–enabled $true.

This creates an MSA in the Managed Service Accounts OU called MSAName, as shown in Figure 12.15.

Figure 12.15 Creating a Managed Service Account

To use this MSA on a server, perform the following steps:

1. Log on to the server that will use the MSA.

2. Click Start, Administrative Tools, and Services.

3. When prompted for permissions, click Continue.

4. Right-click the service that will use the MSA and click Properties.

5. Click Log On tab, click This Account, and type the name of the MSA in the format of domainMSAname. Click OK.

6. Select the service and click Start the Service. Verify that the MSA name appears in the Log On As column.

From this point forward, the service account updates its own password every 30 days, as a computer account does in Active Directory. This results in a secure password that isn’t known by any administrator on the network.

Note that only one computer can use a particular Managed Service Account, so if you have a need for multiple computers to use a Managed Service Account, configure one MSA per system that needs to use one.