Our domain service accounts are just members of the Domain Users group, nothing
special there. That's all you need to manage a process token across devices. You can
further restrict them by specifying a list of machines that service accounts are
allowed to log on to.
On the machine running the service, we make the domain account a member of a local
group. The easiest way to go is the local Administrators group for that machine.
Obviously, that is likely to give more access to that specific server than you want.
Best practice dictates that you create a local group for this purpose and set NTFS
permissions accordingly. You may have to do a little sleuthing for just the right
amount of permmissions neccessary to run the service and perform file system and
registry tasks. Sysinternals.com has good (free) tools to do this (regmon, filemon,
tokenmon)
Hope that helps.
Todd
-----Original Message-----
From: Brad Martin [mailto:[EMAIL PROTECTED]]
Sent: Tue 01/28/2003 09:08 AM
To: Active Directory Mailing List
Cc:
Subject: [ActiveDir] Service account
We need to come up with a service account to use in running services in the
enterprise, but I have a situation where I’m going to need to give that account and
password to developers so they can use it too, so obviously I don’t want to just
stick it in Domain Admins and forget about it. Are there any white papers on what
rights an account needs to function as a typical service account (obviously some
applications/services will have different requirements, but there’s got to be a
place to start?)
Brad Martin
Go Daddy Software, Inc.
480.505.8800 ext. 250
[EMAIL PROTECTED]
http://www.godaddy.com
<<winmail.dat>>
