Omgili, forum search, forums search, search forums, discussion search,discussions search, search discussions, board search, boards search, search boards

	Advanced Search

Service account best practice/recommendation

Anonymous Wrote:

Hi!

I wanted to know whether there is a best practice/recommendation for

following scenario.

- A windows 2003 domain has a service

- To access this service from windows (and as well as linux) machines,

domain wide service account/accounts needs to be used.

- This service will be accessed by multiple machines from within the

domain.

What I am trying to find is in the scenario mentioned above is whether

there exists best practice/recommendation for either of following two

options:

a) use ONE service account in domain that will be used from MULTIPLE

machines to access the service i.e. shared service account

b) create as many service accounts as number of machines accessing

service and use one PER machine.

My personal strong opinion/preference is with option #a but I wanted

to find out what best practice/recommendation documentation says.

Thanks in advance,

-Neel.


	On Fri, 15 May 2009 12:16:05 -0500, "Richard Mueller [MVP]" <...@ameritech.nospam.net <...@g12g2000prg.googlegroups.com... There should be one service account per instance of the service. An instance of SQL Server, for example, runs on a server under one service account. Many users on many clients can connect to the service. If there are several service accounts, there must be one instance of the service for each service account. How would the clients know which instance to connect to? This isn't feasible unless the service runs locally on each client. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --


	Anonymous Wrote: On May 15, 10:16 pm, "Richard Mueller [MVP]" <rlmueller- nos....@ameritech.nospam.net Thanks Richard. I did forget to mention that there will be only one instance of the service on one of the AD server. I take it in that case, from my logic and of course from what you said, there should be only one service account. Is my assumption right? Of course the scenario, as always, do get complicated if I consider some more conditions. This service provides different form of access based on the user group membership. For example, for service account "A" it can be configured to have administrative access while for "B" it can be configured to have read-only access. But I think there should be only one service account in that category that can be used from multiple machines in AD to access this service. Is my thinking correct? Does MS somewhere mentions this in their best practices/recommendation book? I am aware that opinions in the group and logic should be good enough but people whom I work with will need something more than that (makes me feel like banging my head against the wall but anyway :-)) Thanks again, -Neel.


	Anonymous Wrote: On May 15, 10:16 pm, "Richard Mueller [MVP]" <rlmueller- nos....@ameritech.nospam.net Thanks Richard. I did forget to mention that there will be only one instance of the service on one of the AD server. I take it in that case, from my logic and of course from what you said, there should be only one service account. Is my assumption right? Of course the scenario, as always, do get complicated if I consider some more conditions. This service provides different form of access based on the user group membership. For example, for service account "A" it can be configured to have administrative access while for "B" it can be configured to have read-only access. But I think there should be only one service account in that category that can be used from multiple machines in AD to access this service. Is my thinking correct? Does MS somewhere mentions this in their best practices/recommendation book? I am aware that opinions in the group and logic should be good enough but people whom I work with will need something more than that (makes me feel like banging my head against the wall but anyway :-)) Thanks again, -Neel.


	Anonymous Wrote: On May 15, 10:16 pm, "Richard Mueller [MVP]" <rlmueller- nos....@ameritech.nospam.net Thanks Richard. I did forget to mention that there will be only one instance of the service on one of the AD server. I take it in that case, from my logic and of course from what you said, there should be only one service account. Is my assumption right? Of course the scenario, as always, do get complicated if I consider some more conditions. This service provides different form of access based on the user group membership. For example, for service account "A" it can be configured to have administrative access while for "B" it can be configured to have read-only access. But I think there should be only one service account in that category that can be used from multiple machines in AD to access this service. Is my thinking correct? Does MS somewhere mentions this in their best practices/recommendation book? I am aware that opinions in the group and logic should be good enough but people whom I work with will need something more than that (makes me feel like banging my head against the wall but anyway :-)) Thanks again, -Neel.


	Anonymous Wrote: On May 15, 10:16 pm, "Richard Mueller [MVP]" <rlmueller- nos....@ameritech.nospam.net Thanks Richard. I did forget to mention that there will be only one instance of the service on one of the AD server. I take it in that case, from my logic and of course from what you said, there should be only one service account. Is my assumption right? Of course the scenario, as always, do get complicated if I consider some more conditions. This service provides different form of access based on the user group membership. For example, for service account "A" it can be configured to have administrative access while for "B" it can be configured to have read-only access. But I think there should be only one service account in that category that can be used from multiple machines in AD to access this service. Is my thinking correct? Does MS somewhere mentions this in their best practices/recommendation book? I am aware that opinions in the group and logic should be good enough but people whom I work with will need something more than that (makes me feel like banging my head against the wall but anyway :-)) Thanks again, -Neel.


	Anonymous Wrote: On May 15, 10:16 pm, "Richard Mueller [MVP]" <rlmueller- nos....@ameritech.nospam.net Thanks Richard. I did forget to mention that there will be only one instance of the service on one of the AD server. I take it in that case, from my logic and of course from what you said, there should be only one service account. Is my assumption right? Of course the scenario, as always, do get complicated if I consider some more conditions. This service provides different form of access based on the user group membership. For example, for service account "A" it can be configured to have administrative access while for "B" it can be configured to have read-only access. But I think there should be only one service account in that category that can be used from multiple machines in AD to access this service. Is my thinking correct? Does MS somewhere mentions this in their best practices/recommendation book? I am aware that opinions in the group and logic should be good enough but people whom I work with will need something more than that (makes me feel like banging my head against the wall but anyway :-)) Thanks again, -Neel.


	Anonymous Wrote: I apologize; my browser sent the message multiple times and it kinda spammed this thread. I have removed the (spammed) copies of my answer now. Thanks, -Neel.


	On Sun, 17 May 2009 11:03:30 +0000 (UTC), Meinolf Weber [MVP-DS] <...@gmx.de Hello neel...@rediffmail.com, What kind of service do you mean exact? You talk about administrative and read-only? Do you mean AD management or folder access with NTFS permissions? My understanding for a service account is, that an application for example needs the account to run with special permissions on a server. So it will not be used from other groups or users, just by this application. So this special account has the minimum permissions to do the job, a never expiring really long and strong password, which will be changed maybe once a year. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. Please do NOT email, only reply to Newsgroups HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


	Anonymous Wrote: On May 17, 4:03 pm, Meinolf Weber [MVP-DS] <...@gmx.dewrote: Hello Meinolf, Thanks for the answer. I believe I could not explain scenario completely. Here are further details - - A service runs, lets call it mysvc, on a server in AD, lets call it myserver. - This service has two broad categories of features of it's own, for now we can consider features related to file system - administrative and read-only (creating/deleting files and only reading them) - there are other third party services/applications running in AD which need to connect to this service to access it's features - these third party services/applications want to use service accounts on to connect to mysvc. - since these third party services/applications will be on multiple machines (multiple instances) the way I see service accounts may be used is: a) AD can have one service account per* instance* of the third party services/applications. Give each service account appropriate permissions in mysvc. Run the service in the context of that service account. b) Have one service account per* category of access* i.e. in general there will be two service accounts in AD - mysvcAdminAccount and mysvcReadOnlyAccount. All the instances of third party services/ applications that want to use mysvc will run in context of either of these two accounts on any number of machines i.e. these two accounts will be shared. I wanted to know which of the above methods, #a or #b, are recommended by AD guidelines/documentation. My preference is for #b. Do let me know if you need any more information. Thanks again, - Neel.


	On Mon, 18 May 2009 08:15:52 +0000 (UTC), Meinolf Weber [MVP-DS] <...@gmx.de Hello neel...@rediffmail.com, I still can not complete follow your setup with the apps etc. Anyway, you should use as less as possible service accounts for your needs, keeps management easier. So creating the 2 accounts in the domain is ok and use them on multiple machines. Make sure they have really as less as possible permissions. Maybe you can track that down with Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. Please do NOT email, only reply to Newsgroups HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


	Anonymous Wrote: On May 18, 1:15 pm, Meinolf Weber [MVP-DS] <...@gmx.dewrote: Thanks again. Is this concept of "Shared" service accounts have been referred somewhere in the AD documentation? I have searched a lot but I couldn't find an example/case study or any documentation that will refer to the kind of requirements I mentioned. Thanks, -Neel.


	On Mon, 18 May 2009 10:15:27 +0000 (UTC), Meinolf Weber [MVP-DS] <...@gmx.de Hello neel...@rediffmail.com, Well, i never used service account the way you described it. Additional that is not only for AD, you can also use workgroup machines and create service accounts. In local users and groups you sometimes will find some from installed software automatic created. Also i don't know a special article from MS for older OS versions. What now is implemented with 2008 R2 are so called "Managed service accounts": http://technet.microsoft.com/en-us/library/dd378925.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. Please do NOT email, only reply to Newsgroups HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Discussion Title: Service account best practice/recommendation
Title Keywords: Service account best practice/recommendation

Omgili Home

Usenet

About

FAQ

Omgili TV Shows

Privacy

International Omgili: חיפוש בפורומים | 掲示板検索