Thycotic Community - Secret Server - Windows Managed Service accounts in 2008 R2

Thycotic Community - Secret Server - Windows Managed Service accounts in 2008 R2 - Messages http://www.thycotic.com/forums/messages.aspx?TopicID=279 Thycotic Community - Secret Server - Windows Managed Service accounts in 2008 R2 - Messages en-us http://blogs.law.harvard.edu/tech/rss Jitbit AspNetForum Tue, 24 Aug 2010 11:37:51 GMT Tue, 24 Aug 2010 11:37:51 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=279 Message from Adam D Tue, 24 Aug 2010 11:37:51 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=279 Message from Jonathan
Managed Service Accounts are a new feature that is available in Windows 7 and Server 2008 R2. They are special domain accounts that have automatic password management. They exist in the "Managed Service Accounts" container in AD and have their own samAccountName (like groups and users).

Creating new managed service accounts and installing them on local computers can only be done through powershell scripts.
Once created and installed on a machine, a managed service account can be used to run services or application pools by entering DOMAIN\Managed Service Account name (with a dollar sign at the end) as the account name and leaving the password field blank.
Usually, managed service accounts are delegated to have service administrator privileges. However, this can not be done through powershell and must be done through AD DS (or as a Dsacls script).

Managed service account passwords can be reset through powershell (and only powershell), but the password can not be specified since it is automatically managed. Under normal circumstances, the AD DS will automatically reset the password based on domain security principles.
From what I gather, the main benefits are isolation of accounts and automated password resets. They are good for running services and application pools.

The downside is the inconvenience having to create a different account for each machine and the set up time required for each account. It is also time consuming to move a service account from one machine to another. The biggest security downside is that the password is never actually required by the user, so a local admin on a machine with a managed service account installed has complete control over that account.

Right now, Secret Server has no support for managed service accounts but we are looking at integration for a future release.
]]> Tue, 20 Jul 2010 14:46:17 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=279 Message from Adam D Wed, 14 Jul 2010 15:33:12 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=279 Message from Jonathan
Sorry for the long delay here. The technical team did some research and sent me their notes - I just haven't had a chance to compile and post them yet. Will do so soon.

Best.]]> Tue, 22 Jun 2010 04:50:55 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=279 Message from Adam D There is a new feature in Windows Server 2008 R2 called Windows Managed Service accounts. I was curious if your team has looked into this and may be incorporating this feature.]]> Fri, 28 May 2010 16:08:03 GMT