5

What settings in AD make a service account, a service account?

I know that the login into probably shouldn't be given to anyone but the administrators, that it might be used to run a service, I also know that it's password shouldn't expire, and that sometimes delegation is required if it goes between servers for another service.

Is there anything else?

leeand00
  • 4,807
  • 13
  • 64
  • 106

1 Answers1

6

"Service account" is not an Active Directory category, it is a completely human category for user accounts that are used by services. Other than that, the differences (if any) between a service account and a user account are entirely up to the organization or administrator creating them. In my experience, it's fairly common that "service accounts" are not any different than regular user accounts, as many people aren't bothered to configure them differently (though, the logon as a service right may need to be set if the service runs as an actual Windows service... but not all services do).

Server 2008 R2/Windows 7 introduced a new account type, called Managed Service Accounts, which (among other things) is a different type of Active Directory object, rather than being defined by different attributes.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • 2
    You could even say the Managed Service Account class defines _no_ attributes of its own. [Every attribute of the class](https://msdn.microsoft.com/en-us/library/hh339670(v=vs.85).aspx#win_8_server_attributes) is derived from others. – jscott Aug 18 '16 at 17:12