Does a Managed Service Account require a domain?
I am trying to setup a standalone server (no domain) to add managed service accounts to assign for running services instead of creating local user accounts.
I would prefer to use Powershell cmdlets to automate this task, but I am also fine with using cmd tools or the like.
The goal is to run internal services using the standard (the normal computers have AD so we have AD managed MSAs) process but without requiring a domain for demo purposes.
Is this possible?
Alternately if there was a similar password-less method to do this I would appreciate using that as well.
Best Answer
Managed Service Accounts isn't a feature of a Windows Server but of an Active Directory.
And this is how it works:
So it is impossible to have MSA's without a domain and the AD DS Administration Cmdlets only works on a Domain Controller. (It's a hint that every single one has
AD
in it, likeGet-ADServiceAccount
.)If you don't want to have this demo environment as a part of your existing domain, you could easily create a separated demo domain (or use Virtual Accounts instead, like mentioned in comments). Creating a new domain could be an option if the purpose of your demo server is to test your configuration on an identical environment before using it in production.