Service Accounts Advantages in Windows Server 2008 R2 and Windows 7

Service Accounts Advantages in Windows Server 2008 R2 and Windows 7

Table of Contents


 
Managing service accounts can tedious, but Windows Server 2008 R2 and Window 7 take some of the load off.

Many applications require that services they use run under the identity of a user account. Managing service accounts can be a tedious task, but Windows Server 2008 R2 and Window 7 make this much easier.

Two new account types in Windows Server 2008 R2 and Windows 7 remove the need to manage service account passwords and Active Directory service principal names (SPNs). Managed service accounts are AD-based, and Windows automatically changes the passwords of these accounts before the passwords expire. It can also automatically manage any SPNs that exist for managed service accounts. Virtual accounts are similar, but they're local accounts. Windows also automatically changes their passwords, but it doesn't maintain any SPNs. On computers running Windows 7 or Windows Server 2008 R2, you can use either type of account when you specify how a service should log on.

The Fine Print


Before you can use the new types of accounts; you need to take care of a few prerequisites. First, AD needs to be at the most current level. You'll also need to install the AD Management Gateway Service, which is available here, on one of the pre-release candidate 2 domain controllers.

Once you've prepared AD, you'll see a new container called Managed Service Accounts in your domain. Then, using Windows PowerShell, you must perform more tasks associated with Managed Service Accounts. For example, to create and enable the account SQLSVC, you use the following PowerShell command:

New-ADServiceAccount SQLSVC 
-enable $true 

To also register the SPN MSSQLSVC/ computer.domain.com when you create the account, use this command:

New-ADServiceAccount SQLSVC 
-enable $true -ServicePrincipal 
Names "MSSQLSVC/computer.domain.com"

Ready to Go


Once you've created a managed account, you need to configure a service to use it. You'll need to first use PowerShell on the computer where the service is located and add the account to the computer. The command to do this is:
Install-ADServiceAccount -identity 
"accountname" 

Once you've done this, you can configure services to log on using this account the same way you'd select any other domain account.

Unlike managed service accounts, virtual accounts require no prerequisites or setup at all. All that's required is that you configure a service to log on as NT SERVICE\ServiceName, where ServiceName is the name of the service, and that you set an initial password. As soon as you click OK, Windows creates the account for you.

Once you've configured a service to run under the identity of a managed service account or a virtual account, you can simply treat it like any other service account and grant it any required rights or system privileges. You can also configure application pools in IIS to run as a managed service account or a virtual account. What's different is that you no longer need to deal with periodic password changes or worry about services failing because a password has expired. And if you move a service from one computer to another, you won't have to deal with the rather arcane task of moving SPNs in AD to ensure that network authentication continues to work.

The new service account types in Windows can eliminate annoying and tedious housekeeping tasks. As you're migrating to Windows Server 2008 R2 and Windows 7, it makes sense to learn more about the concept and start using the new service accounts whenever possible. And while using PowerShell for some of these tasks may seem daunting, doing so also presents the opportunity to automate the creation of service accounts and to reconfigure existing services to use them. To get started, make sure to read the Managed Service Accounts Step-by-Step Guide, which has all the information you'll need.

 

 

Leave a Comment
  • Please add 6 and 6 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Ed Price - MSFT edited Revision 2. Comment: Added TOC and tags.

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • thanks for information.

  • thanks for information.

  • UGH, Why didn't you write that earlier? I just silently installed SQL Server on both machines and had problems with these accounts. ._.

    So you know it is a very good article, just came a little bit late.

  • UGH, Why didn't you write that earlier? I just silently installed SQL Server on both machines and had problems with these accounts. ._.

    So you know it is a very good article, just came a little bit late.

  • UGH, Why didn't you write that earlier? I just silently installed SQL Server on both machines and had problems with these accounts. ._.

    So you know it is a very good article, just came a little bit late.

  • Thanks all of you

  • Ed Price - MSFT edited Revision 2. Comment: Added TOC and tags.

  • Pined back from redmondmag.com

Page 1 of 1 (8 items)