?
Solved

service accounts in AD

Posted on 2012-08-30
12
Medium Priority
?
523 Views
Last Modified: 2012-09-05
How would you go about identifying which accounts in an AD are service accounts as opposed interactive user accounts - is it possible?

How do you "structure" your service accounts in your AD, so you know which are service accounts and which are typical user accounts?

Are there any major risks/issues in not being able to identify which accounts are service accounts in your AD, however big a risk/issue or petty, I asume there must be issues/risks with not knowing which are service accounts - so please share your view.
0
Comment
Question by:pma111
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 17

Accepted Solution

by:
Lior Karasenti earned 668 total points
ID: 38349341
0
 
LVL 3

Author Comment

by:pma111
ID: 38349352
Do you have to run that script against every server, or against the AD?
0
 
LVL 17

Expert Comment

by:Lior Karasenti
ID: 38349392
I used it in small network of 60 users that use only one server

But i think you should run it against the AD in larger networks
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 668 total points
ID: 38349393
You have to run the script against every server.
0
 
LVL 3

Author Comment

by:pma111
ID: 38349523
Are there any major risks/issues in not being able to identify which accounts are service accounts in your AD, however big a risk/issue or petty, I asume there must be issues/risks with not knowing which are service accounts - so please share your view.
0
 
LVL 23

Assisted Solution

by:Ayman Bakr
Ayman Bakr earned 664 total points
ID: 38349816
Usually the risks involved in not knowing what service accounts are used are security-related. Attackers usually target existing accounts in an attempt to gain an entry into the targeted network/business and cause all levels of damage (corruption, mental damage, real damage, loss of data etc...).

One of the easiest exploits is using the service accounts which in certain circumstances have levels of privileges that can equivalate to an admin privilege.

A very nice technical document which describes the definitions, challenges/risks, and solutions is worth reading here:

http://technet.microsoft.com/en-us/library/cc875826.aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 38349835
>>Usually the risks involved in not knowing what service accounts are used are security-related.

Im just a bit lost at how knowing about them or not prevents the security issues related to service accounts. I.e. if you know about them, how does that help mitigate the security related issues, and how does not knowing about them, make them more vulnerable to be exploited?
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38350887
Knowing about them will give you the chance to take all security precautions as per the plans set forth - I am not a security specialist, however I think the security precautions would be something like disabling certain unnecessary service accounts, keeping an eye/monitoring service accounts that have high privileges. One of the first security precautions you take on a windows server, though related to user accounts, is to disable the Guest account and create another local administrator account to be used instead of the built in one while the latter's password is made complex and at a strong level. You see what I mean?

If you don't know about them you will miss closing all these security holes where a professional attacker will be very happy to discover how easy you made it for him to exploit all these vulnerabilities.
0
 
LVL 3

Author Comment

by:pma111
ID: 38362639
Thanks.

Are serviec accounts always domain accounts or can they be local accounts on the server itseful sometimes, any specific reason for one or the other?

And how do you structure them in your AD, are they in a container just for SA's? Does MS have any best practice on where to structure them in AD?
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38363276
Service accounts can either be the built in local account of a computer, or it can be A local user or domain user account.

The following article is an excellent source of what are service accounts, when to use what, and what are the best practices:

http://4sysops.com/archives/service-account-best-practices-part-1-choosing-a-service-account/
0
 
LVL 3

Author Comment

by:pma111
ID: 38363827
Do you segregate your domain service accounts in their own container in AD?
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38366527
In our environment we have an OU solely for the Admin service accounts.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question