What Happened to My Managed Service Accounts Container?
January 26, 2021
In Windows Server 2008 R2 Active Directory (AD), Microsoft introduced managed service accounts. If you create a new AD domain with Windows Server 2008 R2 or later, when you look in Active Directory Users and Computers (ADUC), you see a container named Managed Services Accounts, as shown in Figure 1.
Some people mistakenly call this an Organizational Unit (OU), but it is a container. The Domain Controllers OU is the only OU created when you create an AD domain. You can see the difference in the icon between the Domain Controllers OU and the other items in the domain.
Enable Advanced Features in ADUC, as shown in Figure 2, by clicking View -> Advanced Features.
Right-click the Domain Controllers OU and click Properties, as shown in Figure 3.
Click the Attribute Editor tab, and scroll down to find the objectCategory and objectClass attributes, as shown in Figure 4.
Those two attributes show Domain Controllers as an OU.
If you follow the same process for Managed Service Accounts, the two attributes show Managed Service Accounts as a container, as shown in Figure 5.
One other way to see the difference between a container and an OU is with the Group Policy Management Console (GPMC). As shown in Figure 6, if you open the GPMC and expand the domain, you only see OUs. There are no containers shown because you cannot directly link a Group Policy Object to a container.
Back in ADUC, if you right-click any of the other containers, for example, Computers or Users, you see no Delete option, as shown in Figures 7 and 8.
There is a Delete option when you right-click the Managed Service Accounts container, as shown in Figure 9.
Because there IS a delete option, an admin can accidentally delete that container. The Managed Service Accounts container is not critical, which is probably why Microsoft allows for its deletion. If “someone” deletes the container, as shown in Figure 10, how do we get it back?
Recreating the Managed Service Accounts container is a simple process.
1. Open ADSIEdit
2. Right-click the ADSI Edit node and click Connect to…, as shown in Figure 11.
3. Name: Default naming context
Select a well known Naming Context: Default naming context
Select Default (Domain or server that you logged in to)
Click OK, as shown in Figure 12.
4. Drill down to Default naming context -> DC=<DomainName>,DC=<TLD> -> CN=System -> CN=DomainUpdates -> CN=Operations, as shown in Figure 13.
5. In the middle pane, right-click the item with the Name CN=5e1574f6-55df-493e-a671-aaeffca6a100 and click Delete, as shown in Figure 14.
6. Click Yes to confirm the deletion, as shown in Figure 15.
7. In the left pane, click on CN=ActiveDirectoryUpdate, as shown in Figure 16.
8. Right-click CN=ActiveDirectoryUpdate and click Properties, as shown in Figure 17.
9. Scroll down and find the attribute named revision and click Edit, as shown in Figure 18.
10. Click Clear, as shown in Figure 19.
11. Click OK, as shown in Figure 20.
12. Close the dialog and exit ADSI Edit.
13. Mount your Server OS ISO.
14. Open an elevated command prompt.
15. Change to the ADPrep folder, x:\support\adprep (where x: is the drive letter for the installation media) and run adprep /domainprep, as shown in Figure 21.
16. Refresh the ADUC console, and you see the Managed Service Accounts container, as shown in Figure 22.
Now you can get back to doing whatever it is you wanted to do with managed service accounts.