Tuesday, February 17, 2009

Windows 7 / 2008 R2 Managed Service Accounts

For years I have argued that making domain "service" accounts is stupid.  Most people look at me like I'm clacking sounds with duck lips and dancing on one foot.  Seriously, it's dumb.  I've seen so many environments where admins create "service" accounts in AD just "because".  It's a habit that started with NT4 and never died.

There are still a few (rare) cases when it makes sense, but since Windows XP and Windows Server 2003, it almost always make better sense to use computer accounts and grant rights accordingly.  That means using the local "System" account.  Ever seen the "Domain Computers" group and wondered what it was good for? How about those Computer$ accounts?  Because this makes people have to think (and many hate to think) they don't want to bother with GPO issues, and so forth.  But it really is easier and simpler to manage once you go that route.

This isn't my idea.  Microsoft has been pushing for this for a long time.  Anyone who has implemented SMS 2003 or SCCM knows what I'm talking about.  It was called "Advanced Security" but it's really simple security, because you don't have to worry about passwords or access to the account itself, because it's the computer account and only people with local Admin rights to the computer could commandeer the account for malicious or unauthorized use.  Compare that with a domain user account which is essentially floating in the open and doesn't need to be instantiated from a specific host on the domain. 

Windows 7 and Windows Server 2008 R2 now introduce a new type of domain account called a Managed Service Account.  This is an interesting concept and should bring a smile to the faces of those who want to get away from the old way but are daunted by the challenges of dealing with some of the obscure issues of the "new way" using computer accounts.  But what was disappointing for me was learning that the only way to create an MSA is by using PowerShell.  I had been searching and reading and wondered about the new option in ADUC (which they show and discuss on the AD Doc Team blog), but the PowerShell approach is the only way that works right now.  I can't tell if that is going to be the permanent solution, or if it's just during the beta.

Part of it makes sense.  Somewhat like how you have to manually enable the AD Schema Management MMC snap-in, or turn on "Advanced Features" in ADUC in order to access the Security tab on objects.  The implication is that it is a sensitive, critical feature, and should therefore be somewhat obtuse and obscure to access.  This helps avoid accidental screw-ups for sure.  But I wonder if an MSA is "that" touchy.

I made the claim that I was moving away from Active Directory, SMS, System Center, and so on, which I definitely have.  Not by choice, but by circumstance.  This was just something that got me thinking again after a long time away from it.  That said, I think I won't be posting techy stuff here anymore except for script code if anything.
Post a Comment