Managed Service Accounts was a feature introduced in Windows Server 2008 R2 that gave us service account with automatic password management, meaning that the passwords for these account will be automatically changed regularly without any human interaction. The downside in Standalone Managed Service Accounts is that they can only be used from computer. This is solved with Group Managed Service Accounts that were introduced in Server 2012. In Windows Server 2012, these accounts can also be used as RunAs account on scheduled tasks but it can’t be configured in GUI.
My friend Jimmy wrote a couple of post a while ago on non LVR (aka legacy) group members in Active Directory groups over at his blog. You can find the his post on how to find non-LVR members here: http://jimmytheswede.blogspot.se/2013/06/non-lvr-groupmembers-how-to-find-them.html The other day when I was facing a similar situation at a customer I wrote this PowerShell function that I used to list all non LVR members of a group:
UPDATE 2015-01-04: I’ve updated the script on Technet Gallery: https://gallery.technet.microsoft.com/Generate-a-random-and-5c879ed5 Drastically improved performance and randomization logic. When provisioning new users to Active Directory we need to provide a new password and of course we want to generate a random password. This is my thoughts and three methods for generating passwords, the first two quite simple and straightforward and the third method a little bit more complex and definitely the one I recommend.