A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service’s ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell. You may also want to visit the following interesting articles. What are the merits and demerits of Local System Account and Service Logon Account, how to delete and restore objects using Active Directory Administrative Center, and what are the differences between an Active Directory contact and a user account object?
A service account is a user account that is created to isolate a service or application. Services accounts use the principle of least privilege: The principle of least privilege is giving the user only the minimum required amount of access. For example, if a user only requires access to certain files then they should only have access to those files.
This article describes how you can create and use service accounts in your organization. The advantage of creating a service account is to help limit the extent of damage that can be done if the user account was to become comprised. When used with service accounts, one service account should be created for each service or application. If the same service account is shared between services and applications, and this service account was to stop working all software using this service account would be affected. Please see these related articles. How to Transfer User Profile to another User in Windows and Windows Cached Credentials: How does cached domain logon work?
Note: The following below is very vital if you are responsible for creating service accounts in your organization.
Service Account Lockout
When the password for a service account is changed, the password must be updated in all locations that use the service account. A user account can become locked after too many wrong password attempts. When the service account is used in multiple locations and the password is not updated in all locations, the old password will still be used. After Windows Server 2003 with Service Pack 1, Active Directory will check the last two passwords used. If there is a match, the service account will not be locked.
Service Account expires
It should be noted that if a service account password was to expire, this will prevent the user account from being able to be used until the password for the user account has been changed.
First, we will have to create a Container (Organisation Unit) to house our security Groups and Service accounts. To create an Organisation Unit (OU), you will have to launch the Server Manager as shown below. Click on the Start Menu and Click on Server Manager.
This will open the Server Manager as shown below. Click on the Tools menu and select “Active Directory Users and Computers”.
Right-click on your DC and select New and then select Organisation Unit.
This will open the New-Object – Organisation Unit window. Enter your desired OU name. Ensure the Protect container from accidental deletion is checked. This is usually checked by default.
You may want to see this article on how to delete OUs (Organisational Unit) or Container in Active Directory
As you can see below, the container (OU) has been created. These service accounts and security groups I will be creating later on, and will be placed in this container.
Service Account Creation
To create a service account, Run Active Directory Users and Computers.
Right-click the OU where you want the user to be created. Please refer to the following how-to guides for related content. How to add or delete users and set permissions in Azure Active Directory, and how to create a contact in Active Directory.
This will open the New Object wizard. Populate the interface with your desired information as shown below.
When prompted, ensure the user must change the password at the next logon is not ticked. This will prevent the service account from being used until the password has been changed. To prevent the password for the service account from expiring, tick the tick box password never expires.
Finally, click on Next to proceed with the service account (SA) creation.
Click on Finish to complete the service account creation.
Security group (SG)
Since I am creating these security groups for the purpose of MBAM deployment. Please refer to this article “how to deploy Microsoft BitLocker Administration and Monitoring – MBAM”. I do not need to remove the Domain Users Group. A domain user account is sufficient for my MBAM deployment.
Domain Local Group is a type of group in a Microsoft Windows Server-based network.Groups can have different scopes or levels of functionality. The scope of a group can be a single domain, a group of domains connected by trust relationships, or the entire network. Domain local groups are restricted to the specific domain in which they are defined. Domain local groups are used to provide users with access to network resources and to assign permissions to control access to these resources. Kindly refer to this article on the differences between Universal, Global, and Domain Local Group Scopes.
To create a SG, kindly follow the steps below. Run Active Directory Users and Computers and right-click the OU where you want the user to be created. Select New
– Select Group
This will open the new object group. Please enter the Group name and scope as shown below and click on OK
As you can see below, the Domain Group has been created.
That is all that is needed to create a Security group in Windows Active Directory environment.
But if you wish to implement advanced security for your service accounts, you may need to create a domain group and place the service account in that group. Because by default, the service account will be part of the Domain User Group. See the optional step below for more information.
Optional: For my lab need, these steps were not needed. I had to configure this to show how you can create a dedicated group to enhance your Service Accounts. Kindly refer to this article on the differences between Universal, Global, and Domain Local Group Scopes.
To ensure the utmost (additional) security for your service account, you can create a domain group and place the service account in that group. Because by default, the service account will be part of the Domain Group (local or Global). Once the service account has been added to this group, you can remove all other group members. I have quickly created a service account and will be removing the domain user account.
To improve the security of my environment (SAs), I removed the Domain user Group and added the newly created service account group above. This is to ensure the service account does not have any permissions, not even Domain User permissions unless they are allocated to the service account.
Do not forget to set the new “service account” group as the Primary Group. Else you will never be able to remove the Domain User Group.
As you can see below, we now have the service account as a member of this security group only.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.