How To Configure Managed Service Accounts Windows Server 2016

In this article, I’ll show you how to deploy and configure Managed Service Accounts with Windows Server 2016 and Active Directory.

Managed Service Account (MSA) Is a new type of Active Directory Account type where AD responsible for changing the account password every 30 days.

With MSA no one needs to set up the account password or even know it, the entire password management process Is managed by Active Directory.

In my example, I’ll use the Managed Service Account to run my IIS Application Pool.


To use MSA, Active Directory forest level will have to be set to Windows Server 2012 at a minimum.

You will need Active Directory Management Tools to run the cmdlets In this post

Before we start

I have to say that before I wrote this article I visited a few blogs and most of them overcomplicated the process, This post will show you how to deploy MSA In 10 minutes.

Just make sure to test it in the lab before deploying Into production.

Master Root key

The first step In the MSA deployment process Is to create a Master root Key using the cmdlet below.

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) -Verbose

Create Service Account

To create and configure the service. I’ll use 4 cmdlets.

The first cmdlet will create the account and also create a DNS name for the account.

New-ADServiceAccount sms -DisplayName "WDS Service" -DNSHostName sms.test.local

Once the account has been created, I will grant the Server (WDS) access to it, which mean the Server (WDS) will have permission to request a password reset every 30 days from Active Directory.

I could add multiple server names If needed.

Set-ADServiceAccount sms -PrincipalsAllowedToRetrieveManagedPassword wds$

With the cmdlet below, I can test the account (return result should be true).

Test-ADServiceAccount sms |fl

And the final cmdlet will Install the Service Account on the WDS Server.

install-ADServiceAccount sms

Set Windows Service

To setup Windows Server service to use the managed Service account, I’ll open the service and use the format below

Test\sms$ without typing the password.

If the account needs the log in as a service right you will see the prompt below.

Once configured, I can start the service

Just remember that If the service account needs to be part of the Domain Admins group or any other group you will need to add the service to the group as well.

SET IIS Application Pool

Next, I’ll configure IIS Application Pool to use the Service Account.

Using the Application Pools menu and right click on the DefaultAppPool

Select Advanced Settings

In the Advanced Setting -> Process Model -> Identity I’ll change the account

No need to type the password

As you can see below, The Application Pool started and Is using the Service Account.

Get-ADServiceAccount -Filter *


To remove the Service Account from Active Directory, I’ll use the cmdlet below:

Remove-adservcieaccount sms

To remove the account from a Windows service, I’ll run the line below (from command line) with the service name

sc config audiosvr obj= test\Admin password=Password123

Leave a Reply