Log In | Users | Register
will's blog
27 Jun 2013 - 05:00 tagged by WillNorris
We want to make these service accounts easy to identify, and hard to mistake for an inactive user, stale account, or even worse, the leavings of some malicious act. Having a standard naming convention will make sure that these accounts are not only easily recognisable today, but years from now.

Guidelines for service accounts

  1. Maintain all service accounts in Active Directory, even if they will only ever be used on a single machine. It gives you a central place for management and auditing…both good things.
  2. Create an OU to store service accounts, and only service accounts.
  3. Set a standard that readily identifies the service account as a service account.
  4. Rename any accounts that predate this standard, and move them to the new OU.
  5. Set the flags for password never expires, and user cannot change password.
  6. Schedule a regular interval for resetting these passwords. If any administrative user leaves the company, you will need to go through the exercise of changing all passwords. Otherwise, make sure to do this at least once a year.
  7. Remember, do not use the name of the service itself as the only name.
  8. Document what the accounts are for in Active Directory. Use the xxx tab and enter key information like what systems use the account, etc. so that when you do change the password, you know what servers to touch.


Leave a Reply

<input type="hidden" name="Nr" value="1 *~~" />
You may have to register to comment if you haven't already.
Changed by Main.WillNorris on 27 Jun 2013 - 05:05 - r1
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback
Syndicate this site RSS ATOM