If you've ever used domain-based service accounts, you know that the explicit permission configuration coupled with Group Policy management is the way to go.
But what about when the account needs a password change? That is where it gets a little less exciting. Service accounts are great--until the accounts need a configuration change at the endpoint.
Windows Server 2008 R2 introduces a new type of account called a managed service account that assists in the endpoint administration. This functionality effectively extends part of the computer account in Active Directory to function like a service account. This is referred to as a managed local account in the TechNet documentation and is applicable to servers running Windows Server 2008 R2 or Windows 7.
The Active Directory Schema will require updating to Windows Server 2008 R2 functional level to take advantage of this feature. The managed service account will create a top-level organizational unit by the same name. Note: You may want to use PowerShell because as described in this blog post, not as many properties are assigned in the GUI that you can assign in PowerShell.
In a way, a managed service account can function like the Builtin organizational unit in default domain configurations; however, the Builtin organizational unit isn’t designed for explicit permission assignment like a service account would be.
The Builtin organizational unit is a good way to explicitly assign a specific permission to a domain controller system, such as remote desktop access. Specifically for SQL or IIS configurations, a managed service account feature of Windows Server 2008 R2 can increase the centrally-managed aspects of service accounts.
A managed service account adds security to the service account practice. Above all else, the password management burden is released to the collective. I can almost hear Windows administrators everywhere rejoicing.