Logo

Service Accounts

A service account is a user account that is created to isolate a service or application. This video looks at how to create and use service accounts in your organization.

Show lesson content
What is a service account
A service account is user account that has been created to run a particular piece of software or service.

Principle of least privilege
The principle of least privilege is giving the user only the minimum required amount of access. For example, if a user only requires access to certain files than they should only have access to those files. If the user only requires access to certain servers or workstations, they should only have access to those. The advantage of this is that it minimises the amount of damage that can be done if the user account was to become comprised. When used with service accounts, one service account should be created for each service or application. If the same service account is shared between services and applications, and this service account was to stop working (for example the account became locked) all software using this service account would be effected.

Using the same user account for multiple services
Some administrators will choose to run multiple services and applications using the same user account. To ensure that there are no problems running their software, some administrators will use a user account that has Domain Administrator access. If you use the same user account for multiple pieces of software, and the user account was to fail for any reason, all the software using that service account would also be affected. Also if the account was to become compromised, this service account could be used to access resources on the network. The more access the service account has the more potential damage that it could do. The service account could prevent applications and services using it from running by simply changing the password of the account.

Service Account Lockout
When the password for a service account is changed, the password must be updated in all locations that use the service account. A user account can become locked after to many wrong password attempts. When the service account is used in multiple locations and the password is not updated in all locations, the old password will still be used. After Windows Server 2003 with Service Pack 1, Active Directory will check the last two passwords used. If there is a match, the service account will not be locked.

Service account expires
It should be noted that if a service account password was to expire, this will prevent the user account from being able to be used until the password for the user account has been changed.

Demonstration
The following procedure can be used to create a service account.

Run Active Directory Users and Computers.

Right click the OU where you want the user to be created.

When prompted, ensure user must change password at next logon is not ticked. This will prevent the service account from being used until the password has been changed.

To prevent the password for the service account from expiring, tick the tick box password never expires. To maintain high security, when ticking this option, the password for the user account should be changed at regular interval.

For additional security for your service account, you can create a domain group and place the service account in that group. Once service account has been added to this group, you can remove all other group membership. This will ensure the service account does not have any permissions, not even Domain User permissions unless they are allocated to the service account.

To give the service account access to a particular service, type lusrmgr.msc in the start menu to edit the local users and groups. Add the service account to the local groups as required.

To the change the password that is being used for a service account, open services from the start menu. Open the properties for the service you want to change the password for and change the password on the log on tab.

Summary
A service account is a user account that is created to run a particular service or software. To prevent an outage of the service if the password expires, you can configure the user account password not to expire. This will also mean that the administrator will need to remember to change the password at regular intervals to ensure good security. In line with the principle of least privilege, a service account should be given the minimum amount of rights it needs to operate.

References
“Create a Service Account” http://technet.microsoft.com/en-us-library/cc739458(v=ws.10).aspx
“principle of least privilege” http://en.wikipedia.org/wiki/Principle_of_least_privilege
“managed service accounts” http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx
“Account Lockout and Password Concepts”
“Securing Critical and Service Accounts” http://technet.microsoft.com/en-us/library/cc875826

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Maintaining Active Directory Objects

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons