270 likes | 668 Views
3.5. Manage Active Directory Objects. TestOut Server Pro 2016: Identity. Active Directory Service Accounts. Section Skill Overview. Create a service account. Create a managed service account. Create a group managed service account. TestOut Server Pro 2016: Identity. Key Terms.
E N D
3.5 Manage Active Directory Objects TestOut Server Pro 2016: Identity Active Directory Service Accounts
Section Skill Overview • Create a service account. Create a managed service account. Create a group managed service account. TestOut Server Pro 2016: Identity
Key Terms • Built-in Local User Account Domain User Account Managed Service Account Virtual Account Group Managed Service Account TestOut Server Pro 2016: Identity
Key Definitions • Built-in Local User Account: A built-in user account is a local user account that is created automatically during installation of the operating system. Domain User Account: A domain user account enables the service to take full advantage of the service security features of Windows and Microsoft Active Directory Domain Services. TestOut Server Pro 2016: Identity
Key Definitions • Managed Service Account: A managed service account provides the same benefits of using a domain user account with the following improvements: Passwords are managed and reset automatically. When the domain is running at the Windows Server 2008 R2 functional level, the service principal name (SPN) doesn't need to be managed as with local accounts. Virtual Account: Virtual accounts: Are not created and cannot be deleted. Are auto-managed. Use a single account for a single service. If you have multiple services that use virtual accounts, there will be a different account for each service. Use the instance name as the service name, formatted as NT SERVICE\<SERVICENAME>. Require no password management. Group Managed Service Account: Group managed service accounts function in a manner similar to managed service accounts. However, they extend that functionality to multiple servers, allowing the same domain user account to be used by services running on many systems in the domain. TestOut Server Pro 2016: Identity
Service Accounts • Are user accounts used by Windows services, not by people. • Are not monitored. Therefore: • When the password expires, the account is locked. • Expired passwords must be reset manually • The Password never expires option creates a security risk . TestOut Server Pro 2016: Identity
Active Directory Service Accounts • Introduced with Windows Server 2008 R2. • Windows assigns and maintains complex password for the account and service. • With Server 2008 Managed Service, accounts could not be shared between computers. Share TestOut Server Pro 2016: Identity
Managed Service Accounts • Are created and managed using PowerShell. • Are assigned to a Windows service. • Enter account name followed by a dollarsign ($). • Use a blank password. TestOut Server Pro 2016: Identity
Managed Service Accounts • Are created and managed using PowerShell. • Are assigned to a Windows service. • Enter account name followed by a dollar sign ($). • Use a blank password. • PowerShell Commands: TestOut Server Pro 2016: Identity
Group Managed Service Accounts • Introduced in Windows Server 2012 R2. • Can be used on multiple computers. • Must add the Key Distribution Services (KDS) Root Key using one of the following methods. • Run Add-KdsRootKey cmdlet on a domain controller and then wait 10 hours. • For lab environments, run Add-KdsRootKey-EffectiveTime ((get-date).addhours(-10)) TestOut Server Pro 2016: Identity
Creating Group Managed Service Accounts • Create a group in AD . • Add servers who will use the account to the group. • Create the group managed service account using a cmdlet. New-ADServiceAccount -Name ServiceAccountName -DNSHSHostName ServiceAccountName.Domain -PrincipalsAllowedToRetrieveManagedPassword “NameOfADgroup” -SamAccountName ServiceAccountName -ServicePrincipalNames URLOfApplications Example: New-ADServiceAccount -Name WebAccount-DNSHSHostName WebAccount.CorpNet.com -PrincipalsAllowedToRetrieveManagedPassword “WebServers”-SamAccountName WebAccount -ServicePrincipalNames https://Intranet.CorpNet.com TestOut Server Pro 2016: Identity
Creating Group Managed Service Accounts • On the server using the account, run Install-ADServiceAccountServiceAccountName • Verify creation usingTest-ADServiceAccountServiceAccountName • On the desired service • Add the ServiceAccountName$ • Leave password blank TestOut Server Pro 2016: Identity
Accounts Review • Service accounts • Used non-expiring passwords • 2008 R2 introduced Managed Service Accounts • Active Directory management of passwords • Single server use • 2012 R2 introduced Group Managed Service Accounts • Active Directory management of passwords • Multi-server use TestOut Server Pro 2016: Identity
Virtual Accounts • Cannot be created or deleted. • Do not require any password management. • Are assigned to the service using the NT SERVICE\ServiceName and then restarting the service. TestOut Server Pro 2016: Identity
Class Discussion • What are the differences between a managed service account, a virtual service account, and a group managed service account? Which operating system is required to manage a service with a managed service account? Which Windows PowerShell cmdlet will create a new managed service account? If you have a domain controller running Windows Server 2003, how can you use a virtual account? TestOut Server Pro 2016: Identity