- FREE: File Permissions Check – Compare folder and file permissions - Fri, Feb 20 2015
- FREE: ABC-Deploy – Software deployment and inventory - Wed, Apr 16 2014
- FREE: AD Permissions Reporter – View Active Directory permissions - Fri, Feb 7 2014
Submitted by Chris Wright - Website: Cjwedev
Managed Service Accounts (MSAs) are a great new feature that was added to Windows Server 2008 R2 and Windows 7 (only available once you have upgraded your forest and domain schema to 2008 R2). They are a special type of AD account that can be assigned to a computer, then any Windows Services running on that computer can be set to run as that MSA and AD will take care of automatically changing the password for the account every 30 days and keeping it secure (without ever needing to restart the services running as that account).
Managed Service Accounts GUI
Another security bonus to using an MSA to run a service is that unlike a conventional domain user account that would normally be used to run services, you cannot log on to a computer interactively (at the Ctrl Alt Del screen) with an MSA. There are many benefits to using MSAs, but I won't go into too much detail here as there are already plenty of articles that explain their purpose of Managed Service Accounts and how to use them, including one here on 4sysops.
The only problem with MSAs is that the ONLY way to create, configure, assign, and install an MSA is via at least 3 separate PowerShell cmdlets (one of which must be run locally on the computer where you want to use the MSA). Whilst PowerShell is great for automating and scripting things, I felt that it would be a lot easier for most people if there was a nice intuitive GUI based program for working with MSAs.
So I developed this Managed Service Accounts GUI tool to do just that. No LDAP or PowerShell knowledge required, just click a few buttons and it is all done for you. As well as doing everything the MSA PowerShell cmdlets do, it also makes it easy to manage an MSAs group membership, makes it possible to install and uninstall MSAs on a remote computer, and has several other additional capabilities.
Managed Service Accounts GUI - Edit
Unfortunately you do still need the PowerShell AD module installed on the computer you run the application on, as there is one part of the application that I could not find any possible way of doing without calling PowerShell in the background (that is creating a valid new MSA object). All other parts of the program use native Windows APIs and LDAP queries though for better performance and reliability.
Once Windows Server 2012 is released I will be updating the application so that it can handle a new type of MSA introduced in Server 2012 (Group Managed Service Accounts, which can be used on more than one computer at a time).
Wonderful tool – allowed me to fix a vexing problem caused by me having forgotten to assign the account to a computer. The GUI tool made this difference literally jump out at me within the first moments of using it for the first time.
What would be a very useful addition would be a “script out the PowerShell commands” so that I could improve and fix some of my scripts I use to manage AD in my company’s estate.