Best Practices in Creating a Windows Service Account

Hi All,

I have just created a AD account to be used as a service account . It is a member of
- Administrator
- Backup Operators
- Domain Admins
- Domain Users.

My main concern is :
1) How to prevent this account from being used to log in to computers and servers.
2) How to prevent this from being lock out if someone got hold of this account name.
DecarnAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sire_harveyCommented:
It all depends on which service this account is going to control, or what it needs to do.

Some things you may wish to consider are:
1) A strong password
2) Only allowing logging onto the machine that the service is installed on. This can be done in the user account properties.
3) Confirming what permissions this account actually needs. ie, does it need Domain Admins or could it be granted "Log on as a service" or "Log on as a batch job"
4) Do you need to have the permission "Deny Logon Locally" enabled for this account?
0
DecarnAuthor Commented:
Hi Sire Harvey,

I have already set a strong password. For the rest, could you point out where and how I can check and change them?

2) Only allowing logging onto the machine that the service is installed on. This can be done in the user account properties. Where to check for this setting?

3) Confirming what permissions this account actually needs. ie, does it need Domain Admins or could it be granted "Log on as a service" or "Log on as a batch job" What is the difference and where to check?

4) Do you need to have the permission "Deny Logon Locally" enabled for this account? - Yes. I do not want this account to log on to any computers.

Thanks.
0
sire_harveyCommented:
2) Properties of the user acount, Account Tab, Logon To button. Specify the computer in there.

3) "Log on as a service" and "Log on as a batch job" can be set by group policy or local machine policy
http://technet.microsoft.com/en-us/library/cc739424(WS.10).aspx

4) "Deny Logon locally" can also be set via group policy
http://technet.microsoft.com/en-us/library/cc728210(WS.10).aspx

hope that helps
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

DecarnAuthor Commented:
Thanks, sire harvey, let me read it up.

One more quick check, if the account is a member of the Domain Administrators group and Domain User group, if I were to remove the Domain User group, will the Domain Administrators privileges be removed as well?
0
sire_harveyCommented:
There should be no reason to remove them from Domain Users. If the account is in AD, i would keep them in Domain Users.
0
ren20atomCommented:
Hi Decarn,

Just curios to know why exactly the Service Account requires Domain Admin rights...
Rest of the rights could be understood so that Scheduled Tasks and other Batch jobs can be run..
Just wondering what is the requirement for the Domain Admin rights...
0
DecarnAuthor Commented:
Hi ren20atom,

You got me. I'm clueless too. Is there any valid application that require a service account with domain admin rights?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.