Proper process for creating AD accounts that will only be used to run services

What is the proper process for creating Active Directory accounts that will only be used to run services such as Symantec Backup Exec without granting any additional or too many rights to these AD accounts (such as not allowing these AD accounts to logon locally or using Remote Desktop) within Server 2016?
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
I am not 100% sure, but this account will need to logon interactively to be able to backup files. So not allowing this account interactive logon might not be an option.

I would create an account that is copied from the domain admin. From there I would create a super long ass strong password and save a hard copy in a safe place.  Something really cryptic.
PberSolutions ArchitectCommented:
For the example of a backup account.  The account will likely need either Local Administrators rights or Backup Operators Rights (likely the administrators group).  As yo_bee mentioned, the domain admin option is quick and dirty, but a very bad security practice.  

A better idea would be to create a normal AD account and create a GPO that uses restricted groups (Member of) to place that account in the local administrators group and scope it to all the machines it needs to backup.   Unfortunately, backups accounts usually needs lots of access.  So this limits the footprint of that account to only the endpoints that require it.   I would also give this account (as yo_bee put it) a super long ass password as well.
PberSolutions ArchitectCommented:
You could also further lock that account down with GPOs and the User rights assignment of:
  • Deny logon locally,
  • Deny Logon through Remote Desktop Services

Just place those same settings in the GPO that performs the Restricted group additions from my first post.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

David Johnson, CD, MVPOwnerCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyCommented:
Dave that sound ideal.
PberSolutions ArchitectCommented:
I would normally suggest a Managed Service account, but for a backup account it wouldn't be the best option.   Managed Service accounts are created on a per computer basis.  So it would require creating an account for each machine, that would be a nightmare.  There are also lots of application compatibility issues with Managed Service accounts.  I usually only use Managed Service accounts for Microsoft services and still that hit or miss.
The only advantage the Managed Service account gives you is that the password is secure and regularly changed and controlled by AD.  It still needs to be granted the proper rights.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.