Active Directory - Non-Interactive Service Accounts
The Campus Active Directory service offers a fine-grained password policy for non-interactive "service" accounts. The policy offers a more convenient maximum password age to reduce the frequency of required password changes.
Requesting a Service Account
To create a non-interactive service account, follow these directions:
- Create a user object for each service in your department's delegated Organizational Unit. When selecting a name for the user object, please follow the Campus Active Directory Naming Convention https://kb.wisc.edu/page.php?id=30600.
- Make sure the account has at least a 12-character password
- E-mail activedirectory@doit.wisc.edu with the following information:
- Department Code
- Name of the user object
- A Campus Active Directory administrator will add the account to a special group with the fine-grained password policy. The account will be forced to change its password at next logon.
Best Practices for use of Service Accounts
Add the "Logon as a service" rights to a user account
- Open Local Security Policy
- In the console tree, double-click Local Policies, and then click User Rights Assignments
- In the details pane, double-click Logon as a service
- Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Logon as a service right
Add the "Logon as a service" rights to an account for a Group Policy Object (GPO)
- Make sure your workstation or server is joined to the domain in which your users and GPO's reside
- Click Start, point to Run, type mmc, and then click OK
- On the File menu, click Add/Remove Snap-in
- In Add/Remove Snap-in, click Add, and then, in Add Standalone Snap-in, double-click GPO Editor
- In Select GPO, click Browse, browse to the GPO that you want to modify, click OK, and then click Finish
- Click Close, and then click OK
- In the console tree, click User Rights Assignment
- In the details pane, double-click Logon as a service
- If the security setting has not yet been defined, select the Define these policy settings check box
- Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Logon as a service right
Set "Logon as Batch Job" Policy
- On the Destination Server, click Start, click All Programs, and then click Administrative Tools
- In the Adminstrative Tools menu, select Group Policy Management
- In the Group Policy Management Console tree, click Forest:<servername>, and then click Domains
- Click the name of your server, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit
- In the Group Policy Management Editor, click Default Domain Controllers Policy<servername>Policy, expand Computer Configuration, and then click Policies
- In the Policies tree, expand Windows Setting, and then click Security Settings
- In the Security Settings tree, expand Local Policies, and then click User Rights Assignment
- In the results pane, scroll to Logon as Batch Job, and then click Logon as a batch job
- In the Logon as a batch job Properties dialog box, click Add User or Group
- In the Add User or Group dialog box, click Browse
- In the Select Users, Computers, or Groups dialog box, type Administrators
- Click Check names to verify that the built-in Administrators group appears, and then click OK three times