功能與 #39; s 帳號受管理的服務的新工具What's New for Managed Service Accounts

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題適用於 IT 專業人員描述功能變更管理服務帳號導入的群組管理服務 Account (gMSA) 在 Windows Server 2012 和 Windows 8 中使用。This topic for the IT professional describes the changes in functionality for Managed Service Accounts with the introduction of the group Managed Service Account (gMSA) in Windows Server 2012 and Windows 8.

受管理的服務 account 的設計目的是提供服務及 Windows 服務和分享他們自己的網域帳號,而不需要手動管理所有的這些帳號密碼管理員 IIS 應用程式集區的工作。The managed service account is designed to provide services and tasks such as Windows services and IIS application pools to share their own domain accounts, while eliminating the need for an administrator to manually administer passwords for these accounts. 完全受管理的核對提供管理自動密碼。It is a managed domain account that provides automatic password management.

管理服務帳號,在 Windows Server 2012 和 Windows 8 中的新功能What's new for Managed Service Accounts in Windows Server 2012 and Windows 8

下列描述在 Windows Server 2012 和 Windows 8 中的 MSA 做哪些功能變更。The following describes what changes in functionality were made to MSA in Windows Server 2012 and Windows 8.

帳號群組受管理的服務Group Managed Service Accounts

核對網域中的伺服器設定之後,client 電腦就可以驗證,並連接到該服務。When a domain account is configured for a server in a domain, the client computer can authenticate and connect to that service. 之前,只有兩個 account 類型所提供的身分而不需要密碼管理。Previously, only two account types have provided identity without requiring password management. 但這些 account 類型限制:But these account types have limitations:

  • 電腦 account 限於網域伺服器,電腦受密碼Computer account is limited to one domain server and the passwords are managed by the computer

  • 管理的服務 Account 受限於網域伺服器,並電腦管理密碼。Managed Service Account is limited to one domain server and the passwords are managed by the computer.

無法分享這些帳號跨多個系統。These accounts cannot be shared across multiple systems. 因此,您必須定期維持為每個服務帳號,以避免垃圾的密碼到期每個系統。Therefore, you must regularly maintain the account for each service on each system to prevent unwanted password expiration.

這項變更新增值為何?What value does this change add?

管理服務 Account 群組解決了這個問題,由於由 Windows Server 2012 網域控制站的密碼,並且可以擷取透過多個 Windows Server 2012 系統。The group Managed Service Account solves this problem because the account password is managed by Windows Server 2012 domain controllers and can be retrieved by multiple Windows Server 2012 systems. 這將最小化藉由 Windows 處理密碼管理這些帳號的服務 account 管理負擔。This minimizes the administrative overhead of a service account by allowing Windows to handle password management for these accounts.

有哪些方式各不相同?What works differently?

在電腦上可從一個伺服器管理執行 Windows Server 2012 或 Windows 8,可以建立和管理服務控制管理員,以便在許多執行個體的服務,例如部署伺服器陣列,透過 MSA 群組。On computers running Windows Server 2012 or Windows 8, a group MSA can be created and managed through the Service Control Manager so that numerous instances of the service, such as deployed over a server farm, can be managed from one server. 工具與公用程式,您用來管理受管理的服務,例如 IIS 應用程式集區管理員帳號,可以用於管理服務帳號群組。Tools and utilities that you used to administer Managed Service Accounts, such as IIS Application Pool Manager, can be used with group Managed Service Accounts. 網域系統管理員可以委派服務的系統管理員,可以管理整個週期管理服務 Account 或群組管理服務 Account 的服務管理。Domain administrators can delegate service management to service administrators, who can manage the entire lifecycle of a Managed Service Account or the group Managed Service Account. 現有 client 的電腦無法驗證到任何這類的服務,而不需要知道他們正在進行驗證的服務執行個體。Existing client computers will be able to authenticate to any such service without knowing which service instance they are authenticating to.

移除或已取代功能Removed or deprecated functionality

針對 Windows Server 2012、 Windows PowerShell cmdlet 管理群組管理服務帳號而伺服器管理服務帳號預設值。For Windows Server 2012 , the Windows PowerShell cmdlets default to managing the group Managed Service Accounts instead of the server Managed Service Accounts.

也了See also