What's New in Service Accounts
Updated: May 5, 2011
Applies To: Windows 7, Windows Server 2008 R2
One of the security challenges for critical network applications such as Exchange and Internet Information Services (IIS) is selecting the appropriate type of account for the application to use.
On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.
If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many server applications use this strategy to enhance security, but at a cost of additional administration and complexity.
In these deployments, service administrators spend a considerable amount of time in maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
Two new types of service accounts are available in Windows Server® 2008 R2 and Windows® 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that can use a computer's credentials to access network resources.
Administrators will want to use managed service accounts to enhance security while simplifying or eliminating password and SPN management.
Virtual accounts simplify service administration by eliminating password management and allowing services to access the network with the computer's account credentials in a domain environment.
In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
Managed service accounts allow administrators to create a class of domain accounts that can be used to manage and maintain services on local computers.
Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically.
Unlike with normal local computer and user accounts, the administrator does not have to complete complex SPN management tasks to use managed service accounts.
Administrative tasks for managed service accounts can be delegated to non-administrators.
Managed service accounts can reduce the amount of account management needed for critical services and applications.
To use managed service accounts and virtual accounts, the client computer on which the application or service is installed must be running Windows Server 2008 R2 or Windows 7. In Windows Server 2008 R2 and Windows 7, one managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers and cannot be used in server clusters where a service is replicated on multiple cluster nodes.
Windows Server 2008 R2 domains provide native support for both automatic password management and SPN management. If the domain is running in Windows Server 2003 mode or Windows Server 2008 mode, additional configuration steps will be needed to support managed service accounts. This means that:
If the domain controller is running Windows Server 2008 R2 and the schema has been upgraded to support managed service accounts, both automatic password and SPN management are available.
If the domain controller is on a computer running Windows Server 2008 or Windows Server 2003 and the Active Directory schema has been upgraded to support this feature, managed service accounts can be used and service account passwords will be managed automatically. However, the domain administrator using these server operating systems will still need to manually configure SPN data for managed service accounts.
To use managed service accounts in Windows Server 2008, Windows Server 2003, or mixed-mode domain environments, the following schema changes must be applied:
Run adprep /forestprep at the forest level.
Run adprep /domainprep in every domain where you want to create and use managed service accounts.
Deploy a domain controller running Windows Server 2008 R2 in the domain to manage managed service accounts by using Windows PowerShell cmdlets.
For more information, see Adprep.
For more information about managing SPNs, see Service Principal Names.