Configure and manage Active Directory - Administering Windows Server 2012 R2

Information Technology Reference

In-Depth Information

Associate the MSA with the computer on which you want to use it.

4.

Add-ADComputerServiceAccount -Identity < computername > -ServiceAccount < MSAName >

Log on to the computer where the MSA will be used and install the MSA to the target

computer with this:

5.

Install-ADServiceAccount -Identity < MSAName >

NOTE DEPENDENCIES

This requires installing the ActiveDirectory Windows PowerShell module and .NET Frame-

work 3.5 or later on the target computer.

Associating an MSA with a service

After the MSA has been assigned to a computer, you can associate it with a service account

by using either the GUI or Windows PowerShell. To use the GUI, open services.msc and edit

the properties of the service you want to associate with the MSA. Set the Log On value for the

service to DOMAIN\MSA$ , where MSA is the account name you installed on the local com-

puter. Make sure that the Password and Confirm Password boxes are empty.

To do the same with Windows PowerShell requires a bit of scripting. You need to use

Windows Management Instrumentation (WMI) to set the account for a service:

SetMSa.ps1

$MSA = "TREYRESEARCH\TestMSA$"

$SvcName = "MSATestSvc"

$Password = $Null

$Svc = Get-WMIObject Win32_Service -filter "Name=$SvcName"

$InParams = $Svc.psbase.getMethodParameters("Change")

$InParams["StartName"] = $MSA

$InParams["StartPassword"] = $Password

$Svc.invokeMethod("Change",$InParams,$null)

You can edit the preceding script to change the values of $MSA and $SvcName as

appropriate to your environment.

Removing an MSA

You can remove an MSA from a computer by using Windows PowerShell. You can remove

it from the current computer by using the Uninstall-ADServiceAccount cmdlet on the local

computer where it was installed. Then remove the assignment to the computer by us-

ing the Remove-ADComputerServiceAccount cmdlet. This process leaves the MSA in place

in Active Directory but not assigned to a specific computer, allowing you to reuse the

account on another computer. To remove the MSA entirely from Active Directory, use the

Remove-ADServiceAccount cmdlet.

Search WWH ::

Custom Search

Home