Services Account Configuration

How the the service account configuration should be? Do we need to add the service account in administrators groups?
I think it should be only domain users with no password expiry and add it to ACT AS PART OF THE OPERATING SYSTEM in group policy. Let me know if there is any suggestion.

REgards
Se LaiSystem Administrator Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SeanSystem EngineerCommented:
What are you trying to accomplish with these? If it is just to run a program on a specific computer then I would add that service account as a local admin to that PC only and leave it as a standard user on the domain. If you are trying to use it to authenticate for LDAP querys then you don't need admin rights to do that so an standard user will work.

Only in an extreme case would I set a service account as an admin anywhere other than a local PC and be sure there is a policy to change that password often.

Any other account just set to never expire, generate a long cryptic password and document it and let it run.
0
Shaun VermaakTechnical SpecialistCommented:
  • Use managed service accounts whenever possible
  • Deny logon locally
  • Set User cannot change password and type password out for vendors (do not give them passwords)
  • Set maximum password (128 characters, use copy and paste) and do not reuse passwords
  • Never, ever give Domain Admin rights
  • Store passwords in vault
  • Always assign owner and give full descriptions
  • Follow proper naming-standard
0
Se LaiSystem Administrator Author Commented:
Thank you

Manage account mean? Can explain it little more
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

DonNetwork AdministratorCommented:
0
Se LaiSystem Administrator Author Commented:
I am trying to restrict all service accounts from domain rights. only allow them to able to run services... mean third party applications or exchange. SQL and so on.
0
Shaun VermaakTechnical SpecialistCommented:
Was still editing...

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SeanSystem EngineerCommented:
Best solutions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
permission

From novice to tech pro — start learning today.