Can I ask a quick question about service accounts - are they typically local accounts on a server? i.e. if I check local groups will the service account be listed as a normal account? Or are they different?
Secondly it is best practice to deny service accounts permissions to interactively logon to systems, but how can you check if such a control is in operation? What evidence would there be to see if SA's can interactively login or cant?