1.4.3 Service Account Facts

Get a hint

Service Account

Click the card to flip 👆

1 / 8

A Service Account is a special user account that an application or service uses to interact with the operating system. Services use the service accounts to log on and make changes to the operating system or the configuration. Through permissions, you can control the actions that the service can perform.

The following table identifies categories of service accounts

• Built-in local user account
• Domain user account
• Managed service account
• Virtual account

Built-in local user account

A built-in user account is a user account that is created automatically during installation. The following three built-in user accounts are used by most services:
• The Local System account (also called the System account) is a member of the local Administrators group.
• The local Service account has access rights similar to members of the User group. This account accesses network services using a null session with no credentials. For this reason, this account might not provide sufficient network access for some services.
• The Network Service account has access rights similar to members of the User group. This account accesses network resources using the credentials of the computer account.
- When using built-in local user accounts:
• Accounts are automatically created.
• You do not need to manage or reset the account passwords.
• Multiple services use the same user account, making it difficult to customize security for a specific service.

Domain user account

You can create domain user accounts for use by services. With domain user accounts:
• User accounts are managed centrally in Active Directory.
• You can create a single user account for a single service, or share a user account for multiple services.
• You can grant only the specific privileges required by the service.
• You must manage account passwords. For example, you will need to periodically reset the account password on the account as well as reset the password used by the service.

Managed service account

A managed service account is a new account type available in Windows Server 2008 R2 and Windows 7. A manged service account provides the same benefits of using a domain user account with these improvements:
• Passwords are managed and reset automatically.
• When the domain is running at the Windows Server 2008 R2 functional level, the service principal name (SPN) doesn't need to manged as with local accounts.
- When using a manged service account:
• A user account can be used on only one computer (you must create at least one account per computer).
• Each account can be used by multiple services on a computer. You can also create a separate account for each service.

Virtual account

A virtual account is a new account type available in Windows Server 2008 R2 and Windows 7. Virtual accounts:
• Are not created or deleted.
• Use a single account for a single service. If you have multiple services that use virtual accounts, there will be a different account for each service.
- To configure a service to use a virtual service account, simply edit the service properties and configure the account to use an account name of NT SERVICE\ServiceName (where ServiceName matches the name of the service).

To use managed or virtual accounts

• Computers must be running Windows Server 2008 R2 or Windows 7 for the service to use the managed or virtual account.
• You must update the Active Directory schema to Windows Server 2008 R2.
• Domain controllers can be Windows Server 2003, 2008, or 2008 R2. If the domain controller is below Windows Server 2008 R2, you must have the Active Directory Management Gateway Service.
• If a domain controller is running Windows Server 2008 R2 (or higher), service principal names (SPN) are managed automatically. If you do not have a domain controller running at least Windows Server 2008 R2, you must manage the SPN manually. Password reset are automatically managed for any supported domain controller.

Use the Active Directory module for Windows PowerShell to manage service accounts (and other objects). Common service account cmdlets include:

• New-ADServiceAccount - creates a manged service account. By default, accounts are created in the Managed Service Account container in Active Directory (you can also specify an alternate OU for the new accounts).
• Get-ADServiceAccount -displays properties for managed service accounts.
• Set-ADServiceAccount - modifies settings.
• Remove-ADServiceAccount - deletes a managed service account.
• Install-ADServiceAccount - allows the computer to use the manged service account (install the account). Run Uninstall-ADserviceAccount to uninstall the account.

1.4.3 Service Account Facts

Students also viewed