Discussion in 'Active Directory' started by Mr. JYC, Jun 3, 2007.

  Mr. JYC

    Mr. JYC


    What is a service account and how do you set one up?

    Does Run as Service permission exist?
    Mr. JYC, Jun 3, 2007
  Mr. JYC

    Joe Kaplan

    A service account is just a user account that is used to run some sort of a
    server like IIS or SQL or perhaps something custom. If they will use
    Kerberos authentication, they need to have a servicePrincipalName set on
    them which is something that you would generally not set on a normal user
    account. It is common to have service account passwords not expire, as that
    can be difficult to manage since no user will receive a warning about the
    password expiring during login. It has to be managed manually.

    "Logon as a service" is a user right (privilege) that can be assigned on a
    local machine or applied via group policy, but it is not a permission like
    you would set in an ACL. To run as an actual Windows service, an account
    must have this privilege on the workstation it will run the service on.
    Whether or not your service accounts will need this privilege depends on
    whether they are running actual services configured in the service control
    manager or whether they will be used for other things. They might need
    different privileges (for example, IIS worker process accounts need the
    privilege to log on as a batch job instead).

    Service accounts are typically not used to log on interactively to a
    machine, although since they are normal user accounts, that is possible.

    Joe K.
    Joe Kaplan, Jun 3, 2007
  Mr. JYC

    Mr. JYC

    Thank you Joe.

    Where do we go to enable the PrincipleName service on the account? Please
    clarify this because this seems a little strange.
    Thank you for your help!

    Mr. JYC, Jun 4, 2007
