AD Service Accounts

Traditionally service accounts have been user accounts at provide authentication and authorization for applications or services running on windows servers.

After creating the account in Active Directory Users and Computers, we need to set the service to use the account.

To set the service:

  1. open services
  2. right click on the service and click on Properties
  3. Click on the Log On tab, select “This Account” and enter in required details

 

Windows comes with built in service accounts

  • Local service
  • Network service
  • Local system  (This account had the most permission out of the three)

 

Windows can also use Virtual Service accounts which are managed local accounts that

  • is automatically managed
  • can access network resources, it presents credentials  <domain_name>\<computer_name>$.
  • no password management is required.

The virtual service is set a  NT Service\<ServiceName> and the password field is cleared

You can use virtual accounts with IIS. The user is called IIS AppPool\<apppoolname> (for
example, IIS AppPool\DefaultAppPool).

 

Leave a Reply