4

What are the pros and cons, or best practices when it comes to setting up applications on a server with either the Network Service account or a domain account?

Are there some cases in which you'd do one, and other cases where you'd do the other?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
jeremy
  • 855
  • 4
  • 19
  • 31
  • 2
    This might help: http://serverfault.com/questions/571761/sql-service-accounts-and-which-to-use – dqnet Jul 10 '14 at 15:57

2 Answers2

6

Using a domain account requires administration and protection of the account and password. Using the builtin NetworkService or LocalService identities has lower administrative effort and does not require protection of the service account password.

The builtin identities have predefined permissions for some objects on the system and may be shared by multiple applications on the system. Using a domain account provides the ability to specify permissions only to the objects that are needed, and can be limited exclusively to a single application.

If you have Windows 2008 R2 or later, Managed Service Accounts may be another option. MSA's combine the convenience of a builtin identity, but finer granularity of control over what the identity has access to and what applications can use the identity.

Introducing Managed Service Accounts
http://technet.microsoft.com/en-us/library/dd560633%28v=ws.10%29.aspx

Managed Service Accounts Frequently Asked Questions (FAQ)
http://technet.microsoft.com/en-us/library/ff641729%28v=ws.10%29.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
5

The difference really boils down to how the service will interact with other machines over the network (using Microsoft networking protocols). The "Network Service" is, effectively, an unprivileged user that authenticates as the computer's domain account when accessing remote resources. Assuming that your domain account is just a member of the "Users" group on the machine where the service is running its permission to the local machine will be the same as "Network Service", but the service will authenticate with the domain account's credential when accessing remote services.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328