Service Account in AD

Service Account in Active Directory

A service account is a special user account that an application or service uses to interact with the operating system. Services use the service accounts to log on and make changes to the operating system or the configuration. Through permissions, you can control the actions that the service can perform. The following table identifies categories of service accounts.

Account

Type

Description

Built-in local user account

A built-in user account is a user account that is created automatically during installation. The following three built-in user accounts are used by most services:

The Local System account (also called the System account) is a member of the local Administrators group.
The Local Service account has access rights similar to members of the Users group. This account accesses network services using a null session with no credentials. For this reason, this account might not provide sufficient network access for some services.
The Network Service account has access rights similar to members of the Users group. This account accesses network resources using the credentials of the computer account.

When using built-in local user accounts:

Accounts are automatically created.
You do not need to manage or reset account passwords.
Multiple services use the same user account, making it difficult to customize security for a specific service.

Domain user account

You can create domain user accounts for use by services. With domain user accounts:

User accounts are managed centrally in Active Directory.

You can create a single user account for a single service, or share a user account for multiple services.
You can grant only the specific privileges required by the service.
You must manage account passwords. For example, you will need to periodically reset the account password on the account as well as reset the password used by the service.

Managed service account

AND

Virtual account

A managed service account is a new account type available in Windows Server 2008 R2 and Windows 7. A managed service account provides the same benefits of using a domain user account with these improvements:

Passwords are managed and reset automatically.
When the domain is running at the Windows Server 2008 R2 functional level, the service principal name (SPN) doesn’t need to be managed as with local accounts.

When using a managed service account:

A user account can be used on only one computer (you must create at least one account per computer).

Each account can be used by multiple services on a computer. You can also create a separate account for each service.

A virtual account is a new account type available in Windows Server 2008 R2 and Windows 7 Virtual accounts:

Are not created or deleted.
Use a single account for a single service. If you have multiple services that use virtual accounts, there will be a different account for each service.
To configure a service to use a virtual service account, simply edit the service properties and configure the account to use an account name of NT SERVICE\ServiceName (where ServiceName matches the name of the service).

To use managed or virtual accounts:

Computers must be running Windows Server 2008 R2 or Windows 7 for the service to use the managed or virtual account.
You must update the Active Directory schema to Windows Server 2008 R2.
Domain controllers can be Windows Server 2003, 2008, or 2008 R2. If the domain controller is below Windows Server 2008 R2, you must have the Active Directory Management Gateway Service.
If a domain controller is running Windows Server 2008 R2 (or higher), service principal names (SPN) are managed automatically. If you do not have a domain controller running at least Windows Server 2008 R2, you must manage the SPN manually. Password resets are automatically managed for any supported domain controller.

Use the Active Directory module for Windows PowerShell to manage service accounts (and other objects). Common service account cmdlets include:

o New-ADServiceAccount creates a managed service account. By default, accounts are created in the Managed Service Account container in Active Directory (you can also specify an alternate OU for the new accounts).

o Get-ADServiceAccount displays properties for managed service accounts.

o Set-ADServiceAccount modifies settings.

o Remove-ADServiceAccount deletes a managed service account.

o Install-ADServiceAccount allows the computer to use the managed service account (install the account). Run Uninstall-ADServiceAccount to uninstall the account.

7 thoughts on “Service Account in AD”

comment pirater un compte facebook gratuitement says:

March 6, 2014 at 3:00 pm

These are really great idas in regarding blogging.
You have touched some good pooints here. Any way keep upp wrinting.

kontakt 5 session strings crack says:

September 20, 2014 at 9:08 pm

Have you ever considered about including a little
bit more than just your articles? I mean, what you say
is valuable and everything. Nevertheless just imagine if you added
some great graphics or videos to give your posts more, “pop”!
Your content is excellent but with pics and video clips, this blog
could certainly be one of the greatest in its niche.
Great blog!

- Habibar Rahman says:
  
  September 20, 2014 at 9:14 pm
  
  Thanks for your valuable feedback.. ! I will definitely work on your suggestions 🙂
  
Pingback: Automating Azure Resource Manager | Robert Daniel Moore's Blog
kumar says:

May 15, 2015 at 8:12 pm

I need to know full details of a service account . Can you please send procedure to sravan.vy235@Gmail.com . Thanks in advance .

John Derdon says:

July 31, 2015 at 6:35 am

Find it strange that they haven’t included this in the AD DS GUI. Powershell is great, but the learning curve changes when you don’t implement it into your GUI.

Ramesh says:

July 11, 2018 at 3:21 pm

Thank you so much 🙂