Managing Service Accounts
A service account is an account under which an operating system, process, or service runs. A service account can allow the application or service specific rights and permissions to function properly while minimizing the permissions required for the users using the application server. Service accounts are used to run Microsoft Exchange Microsoft SQL Server, Internet Information Services (IIS), and SharePoint.
On a local computer, you can configure an application run the Local Service, Network Service, or Local System (as discussed in Lesson 3, "Monitoring Servers"). Although these service accounts are simple to configure and use, they are typically shared among multiple applications and services, and they cannot be managed on a domain level. In addition, often you need to use accounts that have domain administrative rights and/or permissions. Besides the traditional service account, Microsoft has introduced managed service accounts and group managed service accounts.
Creating and Configuring Service Accounts
The traditional service account is a standard user account. Therefore, it is created with the Active Directory Users and Computers console.
Typically with user accounts, you specify how often a password gets changed. When a user logs on and a password is due to be changed, the user will be prompted to change the password. With service accounts, there is no interactive login. Therefore, you will configure the password not to expire. Unfortunately, anytime you have an account that does not expire, the password is more vulnerable because more time is available for cracking a password.
To reduce the risk of using service accounts, you should follow these guidelines:
- Require a unique account to run the service on each server.
- If possible, set up the account as a local account rather than a global domain account.
- Use a strong password for the service account.
- Make sure that the password changes often. Of course, when you change the password for the account, you will have to change the password for the services or applications that use the service account simultaneously.
- Give the account the least amount of access (user rights, NTFS permissions, and share permissions) it needs to perform its necessary tasks.
- Do not share the password, and store the password in a safe location.
CREATE A SERVICE ACCOUNT
To configure a forwarding computer to forward events, perform the following steps:
- Open Server Manager.
- Click Tools > Active Directory Users and Computers.
- In the console tree, double-click the Domain node to expand the node.
- In the Details pane, right-click the organizational unit where you want to add the service account, click New, and then click User. The New Object - User Wizard starts.
- In the First name text box, type a first name for the service account.
- In the Last name text box, type a last name for the service account.
- Modify Full name as desired.
- In the User logon name text box, type the name in which the service account will log on. Click Next. The password options appear.
- In the Password and Confirm password dialog boxes, type a password for the service account.
- If you don't want the password to expire, select the Password never expires option. When a dialog box opens saying that the password should never expire and that the user will not be required to change the password at next logon, click OK.
- Click Next.
- Click Finish to complete creating a service account.
After the service account is created, you can double-click the service account in Active Directory Users and Computers console to open the account properties. You can then add the account to groups, using the Member Of tab.
Creating and Configuring Managed Service Accounts
Managed service accounts (MSAs), introduced with Windows Server 2008 R2, are used to improve the use of the traditional service account in Windows. They are an Active Directory msDS-ManagedServiceAccount object class that enables automatic password management and SPN management for service accounts.
Rather than manually changing the account password and the password for the service or application, you use the MSA where the password will automatically change on a regular basis.
As mentioned previously, MSAs are stored in Active Directory Directory Services (AD DS) as msDS-ManagedServiceAccount objects in Windows Server 2008 and MSDSGroupManagedServiceAccount on Windows Server 2012. This class inherits structural aspects from the Computer class (which inherits from the User class). This enables an MSA to fulfi ll user-like functions such as providing authentication and security context for a running service, while it uses the same automatic password update mechanism used by Computer objects in AD DS. However, a standard MSA cannot be shared between multiple computers or be used in server clusters where the service is replicated between nodes.
Similar to computer accounts, a managed service account establishes a complex, cryptographically random, 240-character password and changes that password when the computer changes its password. By default, this occurs every 30 days. An MSA cannot be locked out and cannot perform interactive logons.
MSAs provide the following benefits to simplify administration:
- Automatic password management
- Simplified SPN management
MSAs are stored in the CN=Managed Service Accounts, DC=<domain>, DC=<com> container, which can be used if you enable the Advanced Features option in the View menu within Active Directory Users and Computers. In addition, you can also see the container using the Active Directory Administrative Center.
To have MSAs, you must have the following:
- Windows Server 2008 R2 or Windows Server 2012 domain controller
- .NET Framework 3.5.x
- Active Directory module for Windows PowerShell
Note:
For Windows Server 2012, the Windows PowerShell cmdlets default to managing the group managed service accounts (covered in the next section) rather than the original standalone MSAs.
USING WINDOWS POWERSHELL
Before you can create an MSA object type, you need to create a key distribution services root key for the domain. To create the root key, run the following cmdlet from the Active Directory PowerShell module for Windows PowerShell:
Add-KDSRootKey -EffectiveTime ((Get-Date).AddHours(-10))
You specify 10 hours so that AD DS replication has a chance to replicate the changes to other domain controllers in the domain. For testing environments, you can use the add-kdsrootkey -EffectiveImmediately instead.
USING WINDOWS POWERSHELL
To create and associate an MSA, perform the following steps:
- Create an Active Directory AD service account with the following command:
New-ADServiceAccount -Name <MSA_Name>-DNSHostname <DNS name of Domain_Controller>
- Add-ADComputerServiceAccount associates the MSA with a computer account in the AD DS domain:
Add-ADComputerServiceAccount -identity <Host_Computer_Name>-ServiceAccount <MSA_Name>
- Install-ADServiceAccount installs the MSA on a host computer in the domain, and makes the MSA available for use by services on the host computer:
Install-ADServiceAccount -Identity <MSA_Name>
When you create a managed service account, you must specify a short account name of fewer than 15 characters. The dollar sign suffix lengthens the name; the resulting SAM Account Name must be 15 characters or less. Although you can create a managed service account with a longer name in Active Directory, you will be unable to install or use the managed account on a computer.
For example, to create the testsvc account on the domain controller, perform the following command at the Active Directory Module for Windows PowerShell:
new-adserviceaccount -name testsvc -dnshostname win2012srv.contoso.com
add-adcomputerserviceaccount -identity win2012srv -serviceaccount testsvc
Then go to the win2012srv and execute the following command using Windows PowerShell:
Install-ADServiceAccount -Identity testsvc
After you install the managed service account, you can configure a service to use the account as its logon identity. When you specify the logon account, be sure that the name includes the dollar sign ($).
USE THE MSA WITH A SERVICE
To configure a forwarding computer to forward events, perform the following steps:
- Open Server Manager.
- Click Tools → Services. The Services console opens.
- Double-click the desired service. The services Properties dialog box opens.
- Click the Log On tab.
- Select This account option and type the name of the service account in the This account text box.
- Clear the password in the Password and Confirm password text boxes.
- Click OK.
- When it says that the account has been granted the Log On As Service, click OK.
- When it states that the new logon name will not take effect until you stop and restart the service, click OK.
After you install the managed service account, you can configure a service to use the account as its logon identity. In the Services console, open the properties of a service and click the Log On tab. Select This Account, and then click Browse. Type the name of the managed service account, and then click OK. On the Log On tab, confirm that the name appears with a dollar sign ($). The account will be given the Log On As Service right.
If you move a service to another computer and you want to use the same managed service account on the target system, you must first use the Uninstall-ADServiceAccount cmdlet to remove the managed service account from the current computer and then use the Install- ADServiceAccount cmdlet on the new computer.
If necessary, when you create the new MSA, you can also specify the SPN by using the -ServicePrincipalNames <SPN_string>.
New-ADServiceAccount -Name svcaccount -DNSHostname win2012srv.contoso.com -ServicePrincipalNames HTTP/portal.contoso.com,HTTP://portal
To change the parameter for a service account, you use Set-ADServiceAccount. To delete a group service account using a Windows PowerShell command, you use the Remove- ADServiceAccount. To display a list of the service accounts, use the Get-ADServiceAccount.
Creating and Configuring Group Managed Service Accounts
The one limitation of managed service accounts is that it can only be used on one server. Therefore, if you have a cluster or farm where you need to run the system or application service under the same service account, you cannot use managed service accounts. Group managed service accounts are similar to managed service accounts, but they can be used on multiple servers at the same time.
To use group managed service accounts, you must have one domain controller that is running Windows Server 2012, so that it can store managed password information. Similar to MSAs, you have to create a KDS root key.
USING WINDOWS POWERSHELL
To create a group managed service account, by using use the New-ADServiceAccount with the -PrincipalsAllowedtoRetrieveManagedPassword option to define one or more comma-separated computer accounts or AD DS groups. For example, to create the group Managed Service Account called groupsvc that will be used on server1, server2, and server3, use the following command:
new-adserviceaccount -name groupsvc -dnshostname win2012srv.contoso.com
-PrincipalsAllowedToRetrieveManagedPassword server1, server2, server3
You can then go to each server and use the Install-ADServiceAccount command.