active directory

I have created some 7 different service accounts as per different applications which needs to be installed on windows server 2012  and have one password .

can I make them enabled them for RDP , my boss says it is security risk?

secondly can I add those service accounts in security group and add individual users in it
pramod1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

REITCommented:
In our environment we have denied logons to Service Accounts. I would advise against granting Service Accounts RDP access.

Also what do you mean by your 2nd question?
pramod1Author Commented:
how to add users to service accounts to gain access and install application
REITCommented:
You cant add users to service accounts. When you users do you mean IT admins or standard users?

Also who are the domain admins in your environment as usually these sort of things are done by them.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
For starters, your service accounts can be local computer accounts.  If you wish to use a domain account then it should be member of domain users only as privileges for services on each computer will be added to the account for those computers only.  Second of all, no two accounts should be configured for same password and yes, this is a security risk.  Service accounts should never be part of any security groups such as ones used for share access, etc.  Service accounts should be configured with the least privileges and security group memberships.

Refer to document listed below for Managed Service Accounts feature in 2012:

http://windowsitpro.com/security/windows-server-2012-active-directory-security-changes
Will SzymkowskiSenior Solution ArchitectCommented:
can I make them enabled them for RDP , my boss says it is security risk?

Services accounts should not require RDP access to work. They may however require local admin rights (which then does provide them RDP access if RDP is enabled on the server).

However another level of security is locking each Service Account down to only be able to login to the specific server where they need to run on.

You can do this from ADUC, right click on the service account, select properties, Account Tab, Log on To.. Button.

secondly can I add those service accounts in security group and add individual users in it
You can do this as well but just be cognizant about what groups you assign to Service Accounts.

This will only allow this service account to login to this machine and cannot be used anywhere else.

Will.
pramod1Author Commented:
I wanted domain admins to be added to service accounts relating to their application group

like I have created service account for BizTalk admins I wanted to add admins who will be working on BizTalk to BizTalk talk service account which in turn be added to universal security group

am I saying something wrong?
REITCommented:
You can add Service Accounts to the domain admins group but that would be classed as over privileging a account. I would agree with the above comments on using a standard AD account but ensuring this is a local admin of the service the admin rights are required on or you could create a local user account on the respective server and make that local user a local administrator aswell.
pramod1Author Commented:
can u name some built in service accounts created in AD
Will SzymkowskiSenior Solution ArchitectCommented:
like I have created service account for BizTalk admins

I think you are mistaking a Group for a Service Account based on your comment above.

Service Accounts are actual AD Accounts that run processes for a specific service. This is not a group.

If this is the case then yes you can add users to this admin group, but these are not Service Accounts.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.