Getting More out of Managed Service Accounts

Hi.  Just a quick entry today, about Active Directory Managed Service Accounts (MSAs) and Centrify Server Suite for Windows.

 A customer asked:

 “In the Centrify Server Suite do we support or have plans to support Managed Service Accounts that were released with Windows Server 2008 R2? Managed Service Accounts are Windows user accounts that are created and managed via PowerShell that do not have manually created passwords and can be used as service accounts.” 

 Here’s my reply:

 We do, in fact, support using MSAs in the Suite, and we significantly extend their functionality beyond what Microsoft uses them for.

 By default, when you Browse User from the Run As tap of an application right definition, you won’t see the MSAs.

 You can show and select from the MSAs by clicking the Browse button in the Browse User dialog.  This brings up a Browser for Container dialog, in which you can browse to the Managed Service Accounts container.  Click OK, and the next search in the Browse User dialog will bring up the MSAs you can select.

 You can use MSAs anywhere in a rights definition as the Run As account.  The Centrify Agent will layer on the privileges of the MSA as it would any other account; that is, from the point of view of Windows, act as the MSA, but with auditing back to the actual carbon unit using the MSA, not just the MSA.

 But the functionality, as I mentioned above, is extended.  You can use the right on any machine to which its role applies; that is, you are not limited to using the right on the machine that has the MSA local account.  This is wizard. It means you can have the benefits of MSAs, including the security of MSA password management and automatic refresh, along with the (Centrify-enabled) ability to use the MSA and its privileges for any users of your choice, on any machines of your choice, through Server Suite rights and roles.

 Hope this makes sense!  It’s a great feature of Server Suite for Windows, and could solve some important use cases for you.


A screen capture of the Centrify selection dialog using MSAs for a new rights definition.


The MSA named SQL Demo used for the Run As account and privileges in the rights definition.