Focusing on security in Active Directory

Externally Sealed Off

Using Managed Service Accounts

Managed service accounts (MSAs) have been on board since Windows Server 2008 R2 and were significantly improved in Windows Server 2012 R2. In Windows Server 2016, MSAs still work like those in Server 2012 R2; you can use one MSA for multiple servers. To this end, Microsoft has developed Group Managed Service Accounts (gMSAs) for MSAs. You can administrate the MSAs in PowerShell. However, with the Managed Service Accounts GUI [4] freeware, it is much easier to create MSAs in Server 2016 (Figure 2).

Figure 2: The Managed Service Account GUI makes MSA management much easier.

Group Managed Service Accounts focus on server applications like Exchange and SQL Server. These applications are not only critical for operations, but also for security, because the user accounts that start these services often have extensive rights. In particular, the Local Service, Network Service, and Local System services are often used for server applications, and sometimes even administrator accounts. The disadvantage of local services is the lack of being able to make settings at the domain level. If administrators use AD user accounts instead of these accounts, passwords always must be managed manually. To view the Managed Service Accounts OU and the service accounts created therein, you might have to enable Advanced Features from the View menu in the Active Directory Users and Computers snap-in.

MSAs are user accounts in AD that are used for local services. The passwords of these accounts are not changed manually, but automatically by AD under certain conditions. Administrators can trigger such changes manually. The advantage of this setup is that the system services that use these user accounts do not have to be configured by the administrator when changing passwords; rather, they automatically apply the change of passwords.

The administration of such service accounts can also be delegated to non-administrators (e.g., the database system programmers).

Constantly Checking AD

Changes to AD settings by administrators are rarely noticed. You should therefore subject AD administration tasks to regular monitoring. In addition to professional solutions, free tools can be used in small and medium-sized environments. With the free Netwrix Change Notifier [5] tool, all changes are logged and, if desired, sent by email. In this way, those responsible in the company always have an overview of the changes made, which can be reversed in the event of problems. The advantage of the tool is its very easy setup. You can integrate the freeware into your environment in a few minutes and make all the necessary settings in a GUI.

The free SolarWinds Admin Bundle for Active Directory [6] provides various additional tools to help you display and delete inactive user and computer accounts in AD (Figure 3)and lets you use a CSV file to create multiple users at the same time.

Figure 3: Additional tools find inactive and no longer needed accounts in AD.


To improve security in Active Directory, admins have no need for additional expensive tools that are complicated to operate. Microsoft already offers enough security features with the standard tools in Windows Server. Freeware monitoring can also be used in small and medium-sized environments to detect changes. Generally speaking, administrator accounts should always be especially secure.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.