Security Advisor

Taming Service Accounts

Managing service accounts can tedious, but Windows Server 2008 R2 and Window 7 take some of the load off.

Many applications require that services they use run under the identity of a user account. Managing service accounts can be a tedious task, but Windows Server 2008 R2 and Window 7 make this much easier.

Two new account types in Windows Server 2008 R2 and Windows 7 remove the need to manage service account passwords and Active Directory service principal names (SPNs). Managed service accounts are AD-based, and Windows automatically changes the passwords of these accounts before the passwords expire. It can also automatically manage any SPNs that exist for managed service accounts. Virtual accounts are similar, but they're local accounts. Windows also automatically changes their passwords, but it doesn't maintain any SPNs. On computers running Windows 7 or Windows Server 2008 R2, you can use either type of account when you specify how a service should log on.

The Fine Print
Before you can use the new types of accounts, you need to take care of a few prerequisites. First, AD needs to be at the most current level. You'll also need to install the AD Management Gateway Service, which is available here, on one of the pre-release candidate 2 domain controllers.

Once you've prepared AD, you'll see a new container called Managed Service Accounts in your domain. Then, using Windows PowerShell, you must perform more tasks associated with Managed Service Accounts. For example, to create and enable the account SQLSVC, you use the following PowerShell command:

New-ADServiceAccount SQLSVC 
-enable $true 

To also register the SPN MSSQLSVC/ when you create the account, use this command:

New-ADServiceAccount SQLSVC 
-enable $true -ServicePrincipal 

Ready to Go
Once you've created a managed account, you need to configure a service to use it. You'll need to first use PowerShell on the computer where the service is located and add the account to the computer. The command to do this is:

Install-ADServiceAccount -identity 

Once you've done this, you can configure services to log on using this account the same way you'd select any other domain account.

Unlike managed service accounts, virtual accounts require no prerequisites or setup at all. All that's required is that you configure a service to log on as NT SERVICE\ServiceName, where ServiceName is the name of the service, and that you set an initial password. As soon as you click OK, Windows creates the account for you.

Once you've configured a service to run under the identity of a managed service account or a virtual account, you can simply treat it like any other service account and grant it any required rights or system privileges. You can also configure application pools in IIS to run as a managed service account or a virtual account. What's different is that you no longer need to deal with periodic password changes or worry about services failing because a password has expired. And if you move a service from one computer to another, you won't have to deal with the rather arcane task of moving SPNs in AD to ensure that network authentication continues to work.

The new service account types in Windows can eliminate annoying and tedious housekeeping tasks. As you're migrating to Windows Server 2008 R2 and Windows 7, it makes sense to learn more about the concept and start using the new service accounts whenever possible. And while using PowerShell for some of these tasks may seem daunting, doing so also presents the opportunity to automate the creation of service accounts and to reconfigure existing services to use them. To get started, make sure to read the Managed Service Accounts Step-by-Step Guide, which has all the information you'll need.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.