One of the new features brought by Microsoft Windows Server 2008 R2 is the 'Managed Service Accounts', which are user accounts that we may assign to our services. It is well known that in our Active Directory we have assigned password expiration policies and we always have a service that does not start with a local system account or SYSTEM, with more privileges. To avoid this hassle of managing accounts with expiring passwords, or that they are vulnerable since the password is always the same and can allow someone to take advantage of that, Microsoft has released this new feature, Of course, to be able to use it, our Active Directory has to be in “Windows Server 2008 R2”.

These are accounts that are managed and do not necessarily need a password directly, to create an account of this type, we will do it from the “Active Directory Module for Windows PowerShell” from a domain controller:

New-ADServiceAccount -Name ACCOUNT_NAME -Path “cn=Managed Service Accounts, dc=DOMAIN, dc=DOMAIN”

or

New-ADServiceAccount ACCOUNT_NAME -AccountPassword (ConvertTo-SecureString -AsPlainText “PASSWORD” -Force) -Enabled $true -Path “cn=Managed Service Accounts, dc=DOMAIN, dc=DOMAIN”

And simply in the service we want to assign the account, we will do it as always (“This account” > “Examine” > and we search for the service account), yes indeed, the machine must be Windows 2008 R2 or Windows 7.