3

Does a Managed Service Account require a domain?

I am trying to setup a standalone server (no domain) to add managed service accounts to assign for running services instead of creating local user accounts.

I would prefer to use Powershell cmdlets to automate this task, but I am also fine with using cmd tools or the like.

The goal is to run internal services using the standard (the normal computers have AD so we have AD managed MSAs) process but without requiring a domain for demo purposes.

Is this possible?

Alternately if there was a similar password-less method to do this I would appreciate using that as well.

jcolebrand
  • 278
  • 4
  • 27
  • `Does a Managed Service Account require a domain?` - Yes. `Alternately if there was a similar password-less method to do this I would appreciate using that as well.` - It sounds like you're looking for virtual accounts. - https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx – joeqwerty May 02 '17 at 19:45
  • `...instead of creating local user accounts`. Why do the services need an account? – Greg Askew May 02 '17 at 19:51
  • @GregAskew because we use service level authentication to SQL to restrict access to schemas. – jcolebrand May 02 '17 at 19:52
  • @joeqwerty I'm just an idiot because I can't see how to create individual virtual accounts beyond the MS default three. Can you at least point me at that paragraph? – jcolebrand May 02 '17 at 19:53
  • It's near the bottom of the article - https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx#Anchor_11 – joeqwerty May 02 '17 at 19:54

1 Answers1

4

Managed Service Accounts isn't a feature of a Windows Server but of an Active Directory.

MSA’s allow you to create an account in Active Directory that is tied to a specific computer.

And this is how it works:

The Windows Server 2008 R2 AD Schema introduces a new object class called msDS-ManagedServiceAccount. - -

The object is a user and a computer at the same time, just like a computer account. But it does not have an object class of person like a computer account typically would; instead it has msDS-ManagedServiceAccount. MSA’s inherit from a parent object class of “Computer”, but they are also users. - -

An MSA is a quasi-computer object that utilizes the same password update mechanism used by computer objects. So, the MSA account password is updated when the computer updates its password.

So it is impossible to have MSA's without a domain and the AD DS Administration Cmdlets only works on a Domain Controller. (It's a hint that every single one has AD in it, like Get-ADServiceAccount.)

If you don't want to have this demo environment as a part of your existing domain, you could easily create a separated demo domain (or use Virtual Accounts instead, like mentioned in comments). Creating a new domain could be an option if the purpose of your demo server is to test your configuration on an identical environment before using it in production.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Ehhhh, creating a domain to manage a dozen accounts is unfortunately a bit more overhead than I was hoping for here. I think we are just gonna have to go with `New-LocalAccount -NoPassword` – jcolebrand May 02 '17 at 19:53
  • Yes, there are alternatives, and the others may provide some more. Personally I don't see one `dcpromo` such a big deal. Maybe I'm just a nutcase; I've had AD at home for managing... three accounts. – Esa Jokinen May 02 '17 at 20:52