Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory Service Accounts

Published byMarkus Fleischer Modified over 5 years ago

Similar presentations

Presentation on theme: "Active Directory Service Accounts"— Presentation transcript:

1 Active Directory Service Accounts
3.5 Manage Active Directory Objects Active Directory Service Accounts TestOut Server Pro 2016: Identity

2 Section Skill Overview
Create a group managed service account. TestOut Server Pro 2016: Identity

3 Key Terms Group Managed Service Account
TestOut Server Pro 2016: Identity

4 Key Definitions Domain User Account: A domain user account enables the service to take full advantage of the service security features of Windows and Microsoft Active Directory Domain Services. TestOut Server Pro 2016: Identity

5 Key Definitions Group Managed Service Account: Group managed service accounts function in a manner similar to managed service accounts. However, they extend that functionality to multiple servers, allowing the same domain user account to be used by services running on many systems in the domain. TestOut Server Pro 2016: Identity

6 Service Accounts Are user accounts used by Windows services, not by people. Are not monitored. Therefore: When the password expires, the account is locked. Expired passwords must be reset manually The Password never expires option creates a security risk . TestOut Server Pro 2016: Identity

7 Active Directory Service Accounts
Introduced with Windows Server 2008 R2. Windows assigns and maintains complex password for the account and service. With Server 2008 Managed Service, accounts could not be shared between computers. Share TestOut Server Pro 2016: Identity

8 Managed Service Accounts
Are created and managed using PowerShell. Are assigned to a Windows service. Enter account name followed by a dollar sign ($). Use a blank password. TestOut Server Pro 2016: Identity

9 Managed Service Accounts
Are created and managed using PowerShell. Are assigned to a Windows service. Enter account name followed by a dollar sign ($). Use a blank password. PowerShell Commands: Command Function New-ADServiceAccount Creates a new managed service account. Set-ADServiceAccount Modifies the properties of the managed service account. It would be used right after creation to assign the managed service account the rights required by the service. Install-ADServiceAccount Installs the managed service account on the local computer so it can be used by the service. Set-ADObject Sets the service account to be protected from accidental deletion. TestOut Server Pro 2016: Identity

10 Group Managed Service Accounts
Introduced in Windows Server 2012 R2. Can be used on multiple computers. Must add the Key Distribution Services (KDS) Root Key using one of the following methods. Run Add-KdsRootKey cmdlet on a domain controller and then wait 10 hours. For lab environments, run Add-KdsRootKey-EffectiveTime ((get-date).addhours(-10)) TestOut Server Pro 2016: Identity

11 Creating Group Managed Service Accounts
Create a group in AD . Add servers who will use the account to the group. Create the group managed service account using a cmdlet. New-ADServiceAccount -Name ServiceAccountName -DNSHSHostName ServiceAccountName.Domain -PrincipalsAllowedToRetrieveManagedPassword “NameOfADgroup” -SamAccountName ServiceAccountName -ServicePrincipalNames URLOfApplications Example: New-ADServiceAccount -Name WebAccount -DNSHSHostName WebAccount.CorpNet.com -PrincipalsAllowedToRetrieveManagedPassword “WebServers” -SamAccountName WebAccount -ServicePrincipalNames TestOut Server Pro 2016: Identity

12 Creating Group Managed Service Accounts
On the server using the account, run Install-ADServiceAccount ServiceAccountName Verify creation using Test-ADServiceAccount ServiceAccountName On the desired service Add the ServiceAccountName$ Leave password blank TestOut Server Pro 2016: Identity

13 Accounts Review Service accounts
Used non-expiring passwords 2008 R2 introduced Managed Service Accounts Active Directory management of passwords Single server use 2012 R2 introduced Group Managed Service Accounts Multi-server use TestOut Server Pro 2016: Identity

14 Virtual Accounts Cannot be created or deleted.
Do not require any password management. Are assigned to the service using the NT SERVICE\ServiceName and then restarting the service. TestOut Server Pro 2016: Identity

15 Class Discussion If you have a domain controller running Windows Server 2003, how can you use a virtual account? TestOut Server Pro 2016: Identity

Download ppt "Active Directory Service Accounts"

Similar presentations

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
9.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 9: Installing and Configuring.

9.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 9: Installing and Configuring.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.

Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Guide to MCSE 70-290, Enhanced 1 Activity 4-1: Creating and Adding Members to Global Groups Objective: Use Active Directory Users and Computers to create.

Guide to MCSE , Enhanced 1 Activity 4-1: Creating and Adding Members to Global Groups Objective: Use Active Directory Users and Computers to create.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
8.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 8: Introducing Computer Accounts.

8.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 8: Introducing Computer Accounts.
Managing Active Directory Domain Services Objects

Managing Active Directory Domain Services Objects
Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.

Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.
6.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.

6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure Goals 

5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

Similar presentations

Ads by Google