Service Accounts : Best Practice

Discussion in 'Active Directory' started by adoyt, Feb 17, 2004.

  1. adoyt

    adoyt Guest

    Can anyone give me a suggestion on what the best practice
    is when dealing with multiple service accounts?

    Thanks in advance,

    Adoyt
     
    adoyt, Feb 17, 2004
    #1
    1. Advertisements

  2. With regard to what? Management, security, ???
     
    Derek Melber [MVP], Feb 17, 2004
    #2
    1. Advertisements

  3. adoyt

    adoyt Guest

    With managing multiple security accounts.

    Adoyt
     
    adoyt, Feb 17, 2004
    #3
  4. Adoyt,

    I am still a bit shaky on exactly what you are looking for, but I will give
    it an attempt to hit what you are needing. First, make sure that the service
    account has a complex password. Second, you need to make a business decision
    on how you will deal with password changes. There are many thoughts, here
    are a couple:
    1) Set the password to not expire, but change it often to another complex
    password
    2) Set the password to expire, along with the other user accounts in the
    domain. This will of course require attention to each service account, since
    the password will expire without any notification to you.
    3) Make the password dual-admin. Meaning, break the password into two
    sections, where two different admins each part of the password. This will
    require that both admins be present to login, or configure the password. Of
    course, this is high security, but if the company requires it, this option
    can go a long way.

    Third, a great option for configuring service accounts is to configure them
    to only logon to certain workstations. This is done on the user properties
    of the user in ADUC. Just configure the computers that the account will be
    used, and then no one can logon to another computer with that account, even
    with the password.
     
    Derek Melber [MVP], Feb 17, 2004
    #4
  5. adoyt

    adoyt Guest

    Derek,

    Sorry about not being clear. Your response hit it all my
    questions, right on the mark.

    Thanks,

    Teo
     
    adoyt, Feb 18, 2004
    #5
  6. Whew! Glad to hear it.

    --
    Derek Melber

     
    Derek Melber [MVP], Feb 18, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.