In last post I wrote few words about MSA and gMSA and in this post I’d like to show you how to make use of gMSA using Powershell of course :).
My test environment is
DS-DC-01 – Windows Server 2012 domain controller
SC-DB-01 – Windows Server 2012 machine for SCCM SQL database
SC-DB-02 – Windows Server 2012 for extending SQL to a cluster.
On Wojcieh.net blog I found really nice tutorial how to create application user in Active Directory. So I’d like to write few words about alternative way to create application users, by using MSA or with Windows Server 2012 gMSA.
What is MSA ?
With Windows Server 2008 R2 Microsoft introduced “Managed Service Accounts” – to simplify account management for accounts, that used by applications on a different servers. In the old times, administrators were creating standard domain users, add this users to local administrators group on the remote computers, assign the “Logon as a service” right and for most of the time set the password to never expire. Moreover if one wanted to be more secure, the “Deny log on locally” right should also be modified. With MSA this was simplified and MSA offers automatic password management (passwords are updated automatically every 30 days) and simplified SPN management which can be delegated to other administrators. Continue reading