Taming Service Accounts
Managing service accounts can tedious, but Windows Server 2008 R2 and Window 7 take some of the load off.
- By Joern Wettern
Many applications require that services they use run under the identity of a user account. Managing service accounts can be a tedious task, but Windows Server 2008 R2 and Window 7 make this much easier.
Two new account types in Windows Server 2008 R2 and Windows 7 remove the need to manage service account passwords and Active Directory service principal names (SPNs). Managed service accounts are AD-based, and Windows automatically changes the passwords of these accounts before the passwords expire. It can also automatically manage any SPNs that exist for managed service accounts. Virtual accounts are similar, but they're local accounts. Windows also automatically changes their passwords, but it doesn't maintain any SPNs. On computers running Windows 7 or Windows Server 2008 R2, you can use either type of account when you specify how a service should log on.
The Fine Print
Before you can use the new types of accounts, you need to take care of a few prerequisites. First, AD needs to be at the most current level. You'll also need to install the AD Management Gateway Service, which is available here, on one of the pre-release candidate 2 domain controllers.
Once you've prepared AD, you'll see a new container called Managed Service Accounts in your domain. Then, using Windows PowerShell, you must perform more tasks associated with Managed Service Accounts. For example, to create and enable the account SQLSVC, you use the following PowerShell command:
To also register the SPN MSSQLSVC/ computer.domain.com when you create the account, use this command:
-enable $true -ServicePrincipal
Ready to Go
Once you've created a managed account, you need to configure a service to use it. You'll need to first use PowerShell on the computer where the service is located and add the account to the computer. The command to do this is:
Once you've done this, you can configure services to log on using this account the same way you'd select any other domain account.
Unlike managed service accounts, virtual accounts require no prerequisites or setup at all. All that's required is that you configure a service to log on as NT SERVICE\ServiceName, where ServiceName is the name of the service, and that you set an initial password. As soon as you click OK, Windows creates the account for you.
Once you've configured a service to run under the identity of a managed service account or a virtual account, you can simply treat it like any other service account and grant it any required rights or system privileges. You can also configure application pools in IIS to run as a managed service account or a virtual account. What's different is that you no longer need to deal with periodic password changes or worry about services failing because a password has expired. And if you move a service from one computer to another, you won't have to deal with the rather arcane task of moving SPNs in AD to ensure that network authentication continues to work.
The new service account types in Windows can eliminate annoying and tedious housekeeping tasks. As you're migrating to Windows Server 2008 R2 and Windows 7, it makes sense to learn more about the concept and start using the new service accounts whenever possible. And while using PowerShell for some of these tasks may seem daunting, doing so also presents the opportunity to automate the creation of service accounts and to reconfigure existing services to use them. To get started, make sure to read the Managed Service Accounts Step-by-Step Guide, which has all the information you'll need.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.