That's useful, thanks.
Brad Martin Go Daddy Software -----Original Message----- From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] On Behalf Of Todd Povilaitis Sent: Tuesday, January 28, 2003 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Service account Our domain service accounts are just members of the Domain Users group, nothing special there. That's all you need to manage a process token across devices. You can further restrict them by specifying a list of machines that service accounts are allowed to log on to. On the machine running the service, we make the domain account a member of a local group. The easiest way to go is the local Administrators group for that machine. Obviously, that is likely to give more access to that specific server than you want. Best practice dictates that you create a local group for this purpose and set NTFS permissions accordingly. You may have to do a little sleuthing for just the right amount of permmissions neccessary to run the service and perform file system and registry tasks. Sysinternals.com has good (free) tools to do this (regmon, filemon, tokenmon) Hope that helps. Todd -----Original Message----- From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Tue 01/28/2003 09:08 AM To: Active Directory Mailing List Cc: Subject: [ActiveDir] Service account We need to come up with a service account to use in running services in the enterprise, but I have a situation where I'm going to need to give that account and password to developers so they can use it too, so obviously I don't want to just stick it in Domain Admins and forget about it. Are there any white papers on what rights an account needs to function as a typical service account (obviously some applications/services will have different requirements, but there's got to be a place to start?) Brad Martin Go Daddy Software, Inc. 480.505.8800 ext. 250 [EMAIL PROTECTED] http://www.godaddy.com
<<attachment: winmail.dat>>
