In Windows operating systems and other Microsoft technologies, service accounts are user accounts used by a service to log on to a system. When
you configure a service, you associate an identity—a user name and password—with the service. When the service starts, it authenticates using that account
just as a user authenticates when logging onto a system. The service account must have sufficient permissions for the service to perform its tasks.
Traditionally, service accounts have been difficult for enterprises to manage because when you change the password of the service account in Active
Directory, you must then reconfigure the service with the new password; otherwise, it will be denied logon. Because of this challenge, enterprises have
typically sacrificed security best practices and have configured service accounts with passwords that never expire.
To address this management and security challenge, SharePoint implements managed accounts. Managed accounts are service
accounts with which SharePoint services run. Unlike traditional service accounts, however, SharePoint is able to perform password changes on the accounts in
Active Directory, and it can update the service with a new password. All of this can be done automatically, without administrative intervention.
A managed account starts like any service account: a domain user account is created in Active Directory. You then register the account as a managed account
using SharePoint Central Administration. At that time, you enter both the user name and password of the account.
When you configure a service application, application pool, or any other component that requires an identity, you can specify which managed account should
be used. In this way, SharePoint is able to maintain a database of associations between managed accounts and services.
Additionally, and in contrast to SharePoint 2007, when you assign an identity to a service application, SharePoint 2010 and later configure the permissions or
rights required for the identity.
When it comes time to change the password of a managed account, you do so with Central Administration, rather than with Active Directory Users
And Computers. SharePoint is able to change the password of the account in the domain, and it can reconfigure the services associated with that identity to
allow the use of a new password.
You can also configure SharePoint to change passwords automatically based on the domain password expiration and complexity policies. In this way, the
managed account passwords are known only to the farm, and cannot be used by an administrator—accidentally or intentionally—to cause damage to the farm.
The managed account credentials are encrypted. The encryption process begins with the farm passphrase that is specified during SharePoint configuration.
The farm passphrase is stored in a secure key of the Registry. The farm passphrase encrypts a private key that is stored in the SharePoint configuration
database. Private keys are used to encrypt account credentials.