A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service’s ability to access the local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, Task Manager, or by using the Windows PowerShell.
Types of Service accounts:
- Standalone managed service accounts
- Group managed service accounts
- Virtual accounts
Standalone Managed Service Accounts:
The managed service accounts were introduced in Windows Server 2008 R2 that provide the feature of an automatic password management. The feature means the password will be changed automatically after a regular period. A managed service account is created to set apart domain accounts in essential applications, such as the Internet Information Services (IIS), and rejects the need for an administrator to manually administer the Service Principal Name (SPN) and credentials for the accounts.
However, there were certain limitations with the managed service account:
- One managed service account could be used for services on a single computer only.
- Managed service accounts cannot be shared between multiple computers.
- They cannot be used in server clusters where a service is replicated on multiple cluster nodes.
These limitations were eliminated with the Group Managed Service Accounts. This was introduced in Windows Server 2012.
There are four important administrative benefits associated with the managed service accounts:
- You can create a class of domain accounts that can be used to manage and maintain services on local computers.
- Unlike domain accounts in which administrators must reset the passwords manually, the network passwords for these accounts get reset automatically.
- You do not have to complete complex SPN management tasks to use the managed service accounts.
- Administrative tasks for the managed service accounts can be delegated to non-administrators.
- To use the managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2 and higher.
- Managed service accounts apply to the Windows operating system, at least Windows 7 and higher.
Group Managed Service Accounts (gMSA):
The group managed service accounts are an extension of the standalone managed service accounts, which were introduced in Windows Server 2008 R2. The gMSA provides the same functionality as a standalone managed service account within the domain, but extends that functionality over multiple servers as well. The group managed service accounts provide:
- Automatic password and SPN management to multiple servers in a farm.
- gMSA provides a single identity for services running on a farm and allows you the flexibility to implement Network Load Balancing (NLB).
- gMSA can be used for scheduled tasks, Internet Information Services (IIS) application pools, SQL 2012, and Microsoft Exchange.
A single gMSA can be used on multiple hosts.
The group managed service accounts can only be configured with the following configuration:
- At least one Windows Server 2012 Domain Controller.
- A Windows Server 2012 or Windows 8 machine with the ActiveDirectory PowerShell module, to create/manage the gMSA.
- A Windows Server 2012 or Windows 8 domain member to run/use the gMSA.
Note: You need to create ( Key Distribution Service) KDS Root key on the domain controller in the domain before creating the gMSA. It is important to create the KDS root key because Windows Server 2012 domain controllers require a root key to start generating the gMSA passwords. It is created by using the following command run in Active Directory Module for Windows PowerShell:
Virtual accounts were introduced in the Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify the service administration:
- The virtual account is automatically managed.
- The virtual account can access the network in a domain environment.
- No password management is required. For example, if the default value is used for the service accounts during a SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\<SERVICENAME>.
Services that run as virtual accounts access the network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$.
- You must install Windows 10 operating system and Windows server 2016.
One thought on “Windows Server 2012 Service Accounts”
I really thank you for your content, which give us a proper inputs on Window server 2012. Thank you HEX64.