Managed Service Accounts (MSA): Installing a service

Written by Catalin Gheorghe · July 2nd, 2020


Recently, one of our users has asked us if it is possible to install, through Advanced Installer, a service under a Managed Service Account (MSA).

If you’re new to Advanced Installer, we recommend you take advantage of the 30-Day Full-Featured Free Trial (no credit card required).

Since it took quite a while to investigate all this, as I was not familiar with what Managed Service Accounts are, I decided to create this how-to, hoping that other users may find this useful.

A little explanation before we begin (this is probably skippable as if you were searching for this, you are probably already familiar with what an MSA is):

The first question that came into my mind when I read that request was "What is a Service Account?".

What is a Service Account and Managed Service Accounts

A service account is a user account created to run a particular service or software. To have good security, a service account should be created for each service/application on your network.

As you can imagine, a significant drawback to this is password management.

For large networks, this means a lot of service accounts, and the management of these service accounts can become complicated, and this is where the Managed Service Accounts (MSA) come to help.

One of the biggest advantages of an MSA is NO MORE PASSWORD MANAGEMENT. It uses a complex, random, 240-character password that automatically changes when it reaches the domain or computer password expiry date.

Standalone Managed Service Accounts (sMSAs) VS Group Managed Service Accounts (gMSAs)

What is a standalone Managed Service Account (sMSA)?

As we have discussed earlier: a standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate it to other administrators.

What is group Managed Service Account (gMSA)?

The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers.

For a more in-depth overview of this, please look at Microsoft's Group Managed Service Accounts Overview article.

How to create a Managed Service Account on Windows


  • Windows Server 2012 or above
  • Active Directory Domain Services (AD DS)

ImportantThis is all intended for test purposes, therefore please follow these steps on a test machine (e.g., Virtual Machine).

You can create an MSA by using the Active Directory module for PowerShell.

As explained above, to create an MSA, we will need the Active Directory module for PowerShell. To do so, please open PowerShell on your Windows Server machine and type the following:

Import-Module ActiveDirectory

The first thing we need to do is to create a Key Distribution Service Root Key (KdsRootKey).

Domain Controllers (DC) require a root key to begin generating gMSA passwords. The domain controllers will wait up to 10 hours from the time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA.

Since this is only meant for test purposes, we will skip the 10 hours part of the KdsRootKey generation. To do so, we can use the following:

Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10))

Now, we are pretty much ready to go. To create a new Managed Service Account, we can proceed as it follows:

New-ADServiceAccount -Name TestMSA -Path "CN = Managed Service Accounts, DC=catalin, DC=test" -DNSHostName hostname.catalin.test


  • hostname returns the computer name
  • catalin.test is my Domain Controller

After creating the MSA, we will now specify which computer can request and access the password. To do so, we can proceed as it follows:

Set-ADServiceAccount -Identity TestMSA -PrincipalsAllowedToRetrieveManagedPassword WIN-N8MH1OCCOTD$


  • WIN-N8MH1OCCOTD - represents the computer name

We can now test the managed service account. To do so, please proceed as follows:

Test-ADServiceAccount -Identity TestMSA | Format-List

The above should return true. If so, it is now time to install our Managed Service Account:

Install-ADServiceAccount -Identity TestMSA

After doing so, we can retrieve our managed service account by running the following:

Get-ADServiceAccount -Filter *

This will return our MSA.

You can also check for the service from within the UI, by accessing "dsa.msc" --> your Domain Controller --> "Managed Service Accounts":

Managed service accounts

You can find all the above code below:

import-module ActiveDirectory

Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10))

New-ADServiceAccount -Name TestMSA -Path "CN = Managed Service Accounts, DC=catalin, DC=test" -DNSHostName hostname.catalin.test

Set-ADServiceAccount -Identity TestMSA -PrincipalsAllowedToRetrieveManagedPassword WIN-N8MH1OCCOTD$

Test-ADServiceAccount -Identity TestMSA |fl

Install-ADServiceAccount -Identity TestMSA

Get-AdServiceAccount -Filter *

Powershell active directory

Now, to install a service under the MSA, we will need to do two things:

  • provide the "username", which looks like this:

Based on the above sample, the username will look like this:

  • provide NO password

Basically, in Advanced Installer, in the "Services" page, you will need to specify the account from which the service will run.

Service page

Least, but not last: the account should have enough privileges to start/work with services.

Managed Service Account: FAQ

What is a managed service account?

A Managed Service Account is a Windows feature that was introduced in Windows Server 2008 to help non-user service accounts become more secure. Automatic password management, as well as simplified SPN management and the option to grant access to other administrators, can be provided through a managed service account.

Difference between a service account and managed service account?

A significant difference between a local service account and a managed service account is that standalone managed service accounts are intended to address the difficulties generated by the password management.

What is a standalone managed service account?

A standalone Managed Service Account (sMSA) is a managed domain account that one can utilize in order to secure a service running on a server.

What is gMSA?

A gMSA - Grouped Managed Service Account, is a form of managed service account (MSA) that provides a higher level of security than regular MSAs for automated and non-interactive applications, services, and processes that need credentials. The gMSAs can run on a single or on multiple servers.

What is the difference between MSA and gMSA?

The group Managed Service Account (gMSA) delivers the same functionality as the MSA within the domain, but it also extends it over several servers.

What is a service account in windows?

A service account is a user account established specifically for the purpose of providing a security context for services running on Windows Server operating systems, and this way controlling the service's ability to access local and network resources.

Subscribe to Our Newsletter

Sign up for free and be the first to receive the latest news, videos, exclusive How-Tos, and guides from Advanced Installer.