top of page

Find a service account (MSA) in AD. Hidden accounts.

Are you looking for an account in AD and can't find it? Chances are it's an MSA service account and here's how to find it!


A little theory on services and MSAs:

A service has a primary security identity that determines access rights to local and network resources. The security context of a Microsoft Win32 service is determined by the service account that is used to start the service. Generally you will use a service account to:

  • Identify and authenticate a service.

  • Successfully started a service.

  • Access or execute code or an application.

  • Start a process.

Depending on your use case, you can use a managed service account (MSA), computer account, or user account to run a service. Of course, you must first test a service to confirm that it can use a managed service account. If the service can use an MSA, then best practice would be for you to use one.


The main advantage of the MSA service account is that the password is completely managed by the AD, no manual action is required and therefore the password remains unknown to us.



Problem:

An AD service account with a SamAccountName that ends with a "$" is hidden. You can't find it by doing a simple search like:


Solution

In order to find this account you can use PowerShell. Here is an example of the command to execute.


PS C:\> Get-ADServiceAccount -Identity service1

Enabled           : True
Name              : service1
UserPrincipalName :
SamAccountName    : service1$
ObjectClass       : msDS-ManagedServiceAccount
SID               : S-1-5-21-159507390-2980359153-3438059098-29770
ObjectGUID        : eaa435ee-6ebc-44dd-b4b6-dc1bb5bcd23a
HostComputers     :
DistinguishedName : CN=service1,CN=Managed Service Accounts,DC=contoso,DC=com


As it is accessible via PowerShell, you can administer it via PowerShell and, for example, add it as a member of a group.


I hope this article was useful to you!

Enjoy! 👨‍💻

bottom of page