• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 527
  • Last Modified:

service accounts in AD

How would you go about identifying which accounts in an AD are service accounts as opposed interactive user accounts - is it possible?

How do you "structure" your service accounts in your AD, so you know which are service accounts and which are typical user accounts?

Are there any major risks/issues in not being able to identify which accounts are service accounts in your AD, however big a risk/issue or petty, I asume there must be issues/risks with not knowing which are service accounts - so please share your view.
0
pma111
Asked:
pma111
  • 5
  • 4
  • 2
  • +1
3 Solutions
 
pma111Author Commented:
Do you have to run that script against every server, or against the AD?
0
 
Lior KarasentiCommented:
I used it in small network of 60 users that use only one server

But i think you should run it against the AD in larger networks
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Sushil SonawaneCommented:
You have to run the script against every server.
0
 
pma111Author Commented:
Are there any major risks/issues in not being able to identify which accounts are service accounts in your AD, however big a risk/issue or petty, I asume there must be issues/risks with not knowing which are service accounts - so please share your view.
0
 
Ayman BakrSenior ConsultantCommented:
Usually the risks involved in not knowing what service accounts are used are security-related. Attackers usually target existing accounts in an attempt to gain an entry into the targeted network/business and cause all levels of damage (corruption, mental damage, real damage, loss of data etc...).

One of the easiest exploits is using the service accounts which in certain circumstances have levels of privileges that can equivalate to an admin privilege.

A very nice technical document which describes the definitions, challenges/risks, and solutions is worth reading here:

http://technet.microsoft.com/en-us/library/cc875826.aspx
0
 
pma111Author Commented:
>>Usually the risks involved in not knowing what service accounts are used are security-related.

Im just a bit lost at how knowing about them or not prevents the security issues related to service accounts. I.e. if you know about them, how does that help mitigate the security related issues, and how does not knowing about them, make them more vulnerable to be exploited?
0
 
Ayman BakrSenior ConsultantCommented:
Knowing about them will give you the chance to take all security precautions as per the plans set forth - I am not a security specialist, however I think the security precautions would be something like disabling certain unnecessary service accounts, keeping an eye/monitoring service accounts that have high privileges. One of the first security precautions you take on a windows server, though related to user accounts, is to disable the Guest account and create another local administrator account to be used instead of the built in one while the latter's password is made complex and at a strong level. You see what I mean?

If you don't know about them you will miss closing all these security holes where a professional attacker will be very happy to discover how easy you made it for him to exploit all these vulnerabilities.
0
 
pma111Author Commented:
Thanks.

Are serviec accounts always domain accounts or can they be local accounts on the server itseful sometimes, any specific reason for one or the other?

And how do you structure them in your AD, are they in a container just for SA's? Does MS have any best practice on where to structure them in AD?
0
 
Ayman BakrSenior ConsultantCommented:
Service accounts can either be the built in local account of a computer, or it can be A local user or domain user account.

The following article is an excellent source of what are service accounts, when to use what, and what are the best practices:

http://4sysops.com/archives/service-account-best-practices-part-1-choosing-a-service-account/
0
 
pma111Author Commented:
Do you segregate your domain service accounts in their own container in AD?
0
 
Ayman BakrSenior ConsultantCommented:
In our environment we have an OU solely for the Admin service accounts.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now