Creating Managed Service Accounts is fairly strait forward – no passwords are required. These steps are for Windows Server 2008 R2. There is one catch, while it will allow you to create a Managed Service Account more than 15 characters, it won’t let you install a Managed Service Account more than 15 characters on servers. Best to keep under 15 characters as a rule of thumb. This is the error that you would get if you tried to install a Managed Service Account on a server – Cannot install service account. Error Message: ‘Unknown error (0xc0000017)’

Also, you cannot use the same Managed Service Account on two servers. There is a one to one relationship between the Managed Service Account and the server which uses it.

Create the Managed Service Account

1. Logon to a domain member server or domain controller as a domain admin account (preferable), and install the Active Directory module for PowerShell. This is a feature.

   

2. Once this module is installed, open Windows PowerShell:
   1. Import-Module ActiveDirectory
   2. New-ADServiceAccount AccountName -Enabled $True -Path "CN=Managed Service Accounts,DC=domain,DC=local"

Install the Managed Service Account

1. Logon to the server where you want to use the Managed Service Account, then install the Active Directory module for PowerShell. Then Run the following:
   1. Import-Module ActiveDirectory
   2. Install-ADServiceAccount AccountName

Check Managed Service Accounts

1. You can check the Managed Service Accounts installed in the domain and which computer hosts them by running:
   1. Get-ADServiceAccount (When it asks for a Filter, type *)