1 / 15

Active Directory Service Accounts

3.5. Manage Active Directory Objects. TestOut Server Pro 2016: Identity. Active Directory Service Accounts. Section Skill Overview. Create a service account. Create a managed service account. Create a group managed service account. TestOut Server Pro 2016: Identity. Key Terms.

liam
Download Presentation

Active Directory Service Accounts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 3.5 Manage Active Directory Objects TestOut Server Pro 2016: Identity Active Directory Service Accounts

  2. Section Skill Overview • Create a service account. Create a managed service account. Create a group managed service account. TestOut Server Pro 2016: Identity

  3. Key Terms • Built-in Local User Account Domain User Account Managed Service Account Virtual Account Group Managed Service Account TestOut Server Pro 2016: Identity

  4. Key Definitions • Built-in Local User Account: A built-in user account is a local user account that is created automatically during installation of the operating system. Domain User Account: A domain user account enables the service to take full advantage of the service security features of Windows and Microsoft Active Directory Domain Services. TestOut Server Pro 2016: Identity

  5. Key Definitions • Managed Service Account: A managed service account provides the same benefits of using a domain user account with the following improvements: Passwords are managed and reset automatically. When the domain is running at the Windows Server 2008 R2 functional level, the service principal name (SPN) doesn't need to be managed as with local accounts. Virtual Account: Virtual accounts: Are not created and cannot be deleted.  Are auto-managed. Use a single account for a single service. If you have multiple services that use virtual accounts, there will be a different account for each service. Use the instance name as the service name, formatted as NT SERVICE\<SERVICENAME>. Require no password management. Group Managed Service Account: Group managed service accounts function in a manner similar to managed service accounts. However, they extend that functionality to multiple servers, allowing the same domain user account to be used by services running on many systems in the domain. TestOut Server Pro 2016: Identity

  6. Service Accounts • Are user accounts used by Windows services, not by people. • Are not monitored. Therefore: • When the password expires, the account is locked. • Expired passwords must be reset manually • The Password never expires option creates a security risk . TestOut Server Pro 2016: Identity

  7. Active Directory Service Accounts • Introduced with Windows Server 2008 R2. • Windows assigns and maintains complex password for the account and service. • With Server 2008 Managed Service, accounts could not be shared between computers. Share TestOut Server Pro 2016: Identity

  8. Managed Service Accounts • Are created and managed using PowerShell. • Are assigned to a Windows service. • Enter account name followed by a dollarsign ($). • Use a blank password. TestOut Server Pro 2016: Identity

  9. Managed Service Accounts • Are created and managed using PowerShell. • Are assigned to a Windows service. • Enter account name followed by a dollar sign ($). • Use a blank password. • PowerShell Commands: TestOut Server Pro 2016: Identity

  10. Group Managed Service Accounts • Introduced in Windows Server 2012 R2. • Can be used on multiple computers. • Must add the Key Distribution Services (KDS) Root Key using one of the following methods. • Run Add-KdsRootKey cmdlet on a domain controller and then wait 10 hours. • For lab environments, run Add-KdsRootKey-EffectiveTime ((get-date).addhours(-10)) TestOut Server Pro 2016: Identity

  11. Creating Group Managed Service Accounts • Create a group in AD . • Add servers who will use the account to the group. • Create the group managed service account using a cmdlet. New-ADServiceAccount -Name ServiceAccountName -DNSHSHostName ServiceAccountName.Domain -PrincipalsAllowedToRetrieveManagedPassword “NameOfADgroup” -SamAccountName ServiceAccountName -ServicePrincipalNames URLOfApplications Example: New-ADServiceAccount -Name WebAccount-DNSHSHostName WebAccount.CorpNet.com -PrincipalsAllowedToRetrieveManagedPassword “WebServers”-SamAccountName WebAccount -ServicePrincipalNames https://Intranet.CorpNet.com TestOut Server Pro 2016: Identity

  12. Creating Group Managed Service Accounts • On the server using the account, run Install-ADServiceAccountServiceAccountName • Verify creation usingTest-ADServiceAccountServiceAccountName • On the desired service • Add the ServiceAccountName$ • Leave password blank TestOut Server Pro 2016: Identity

  13. Accounts Review • Service accounts • Used non-expiring passwords • 2008 R2 introduced Managed Service Accounts • Active Directory management of passwords • Single server use • 2012 R2 introduced Group Managed Service Accounts • Active Directory management of passwords • Multi-server use TestOut Server Pro 2016: Identity

  14. Virtual Accounts • Cannot be created or deleted. • Do not require any password management. • Are assigned to the service using the NT SERVICE\ServiceName and then restarting the service. TestOut Server Pro 2016: Identity

  15. Class Discussion • What are the differences between a managed service account, a virtual service account, and a group managed service account? Which operating system is required to manage a service with a managed service account? Which Windows PowerShell cmdlet will create a new managed service account? If you have a domain controller running Windows Server 2003, how can you use a virtual account? TestOut Server Pro 2016: Identity

More Related