Solved

Best Practices in Creating a Windows Service Account

Posted on 2010-08-18
7
846 Views
Last Modified: 2012-05-10
Hi All,

I have just created a AD account to be used as a service account . It is a member of
- Administrator
- Backup Operators
- Domain Admins
- Domain Users.

My main concern is :
1) How to prevent this account from being used to log in to computers and servers.
2) How to prevent this from being lock out if someone got hold of this account name.
0
Comment
Question by:Decarn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:sire_harvey
ID: 33472051
It all depends on which service this account is going to control, or what it needs to do.

Some things you may wish to consider are:
1) A strong password
2) Only allowing logging onto the machine that the service is installed on. This can be done in the user account properties.
3) Confirming what permissions this account actually needs. ie, does it need Domain Admins or could it be granted "Log on as a service" or "Log on as a batch job"
4) Do you need to have the permission "Deny Logon Locally" enabled for this account?
0
 

Author Comment

by:Decarn
ID: 33472309
Hi Sire Harvey,

I have already set a strong password. For the rest, could you point out where and how I can check and change them?

2) Only allowing logging onto the machine that the service is installed on. This can be done in the user account properties. Where to check for this setting?

3) Confirming what permissions this account actually needs. ie, does it need Domain Admins or could it be granted "Log on as a service" or "Log on as a batch job" What is the difference and where to check?

4) Do you need to have the permission "Deny Logon Locally" enabled for this account? - Yes. I do not want this account to log on to any computers.

Thanks.
0
 
LVL 4

Accepted Solution

by:
sire_harvey earned 500 total points
ID: 33472347
2) Properties of the user acount, Account Tab, Logon To button. Specify the computer in there.

3) "Log on as a service" and "Log on as a batch job" can be set by group policy or local machine policy
http://technet.microsoft.com/en-us/library/cc739424(WS.10).aspx

4) "Deny Logon locally" can also be set via group policy
http://technet.microsoft.com/en-us/library/cc728210(WS.10).aspx

hope that helps
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Decarn
ID: 33472412
Thanks, sire harvey, let me read it up.

One more quick check, if the account is a member of the Domain Administrators group and Domain User group, if I were to remove the Domain User group, will the Domain Administrators privileges be removed as well?
0
 
LVL 4

Expert Comment

by:sire_harvey
ID: 33472420
There should be no reason to remove them from Domain Users. If the account is in AD, i would keep them in Domain Users.
0
 
LVL 3

Expert Comment

by:ren20atom
ID: 33475227
Hi Decarn,

Just curios to know why exactly the Service Account requires Domain Admin rights...
Rest of the rights could be understood so that Scheduled Tasks and other Batch jobs can be run..
Just wondering what is the requirement for the Domain Admin rights...
0
 

Author Comment

by:Decarn
ID: 33612418
Hi ren20atom,

You got me. I'm clueless too. Is there any valid application that require a service account with domain admin rights?
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Forcibly removing a 2003 server from the Domain 4 68
Delete Disconnected Site from Active Directory 3 76
BgInfo help 5 109
Time server on domain 3 64
Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question