clarification on "service accounts"

My organization is calling active directory accounts they use to connect to some network functions as a service account.

I am trying to tell them that service accounts are inherently not active directory accounts but only reside on the local machine in a classical windows setup.
am I correct?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve WhitcherSystems AdministratorCommented:
No, an AD account could be used as a service account.  In recent windows versions, there are even managed service accounts, which MUST be ad accounts.
"in a classical windows setup" - funny term - what do you think that means? :)
Imagine: on a domain joined machine (a "classical" win7/server 2008 r2), if you configure a service to use the system account - is that an active directory account you are using, or not? It is! The machine is domain joined and the system account (aka computer account aka computername$) is an active directory object and can even act across the network.

With the aforementioned managed service accounts, microsoft tried to promote the concept even further so that some admins might finally leave their own strong domain admin accounts out of this dangereous service business...
jamesmetcalf74Author Commented:
So What Kind Of ACCOUNT Is NORMALLY Used As A Service ACCount if ad users can be used as a service account.   What's the other method
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Will SzymkowskiSenior Solution ArchitectCommented:
When you are using Services Accounts it is always a best practice to do the following...
- Create an OU specifically for Service Accounts (central location)
- Create a Service Account Name Prefix like SVC_ServiceName
- Make sure that Passwords for Service accounts cannot be changed
- Ensure that Service Accounts have a stronger password than Default domain policy (using FGPP/PSO 2008 and up)
- On the Service Accounts make sure that you set the logon computers only to the ones where the service account needs to be running

Also regarding Managed Service Accounts can also be used but from personal experience they are not a good solution to implement. They take a lot of time setting them up and you do not see much benefit. Also Service Accounts are a glorified computer object. As computer objects also have passwords but they are managed within Active Directory itself.

If you have followed the steps above then you will be in a good situation when managing/locating/securing Service Accounts

"What Kind Of ACCOUNT Is NORMALLY Used As A Service ACCount" - There's no "normally", we cannot use that term.

But most applications that install services use "local system" which is an active directory account on domain joined computers.
Steve WhitcherSystems AdministratorCommented:
The main advantages to Managed Service accounts are security related --
1) The account password is managed by AD and the computer the account is used on.  That means the password gets changed regularly, and no users, not even the admins, know the password or have it saved in a list somewhere.   (Setting an account to have a password never expire, like some admins did for old style service accts, is less than ideal.)
2) The MSA can't be used to log on to a computer interactively, even if you DID somehow know what the password for the account was.

The older type of MSA's, introduced in server 2008r2, were limited to being used on a single computer or server.  That did provide some additional security, in that the account can not be used anywhere but on that one machine.  Unfortunately, this also made them a little more of a hassle to use in some cases. Group Managed Service Accounts, introduced in Server 2012, can be used across multiple servers.

Here's a technet article on the new gMSA's, and an older blog post about the server 2008 style of MSA's.  There's a lot of good information in these:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.