Topics Map > Active Directory

Active Directory - Non-Interactive Service Accounts

The Campus Active Directory service offers a fine-grained password policy for non-interactive "service" accounts. The policy offers a more convenient maximum password age to reduce the frequency of required password changes.

Requesting a Service Account

To create a non-interactive service account, follow these directions:

  • Create a user object for each service in your department's delegated Organizational Unit. When selecting a name for the user object, please follow the Campus Active Directory Naming Convention https://kb.wisc.edu/page.php?id=30600.
  • Make sure the account has at least a 12-character password
  • E-mail activedirectory@doit.wisc.edu with the following information:
    • Department Code
    • Name of the user object
  • A Campus Active Directory administrator will add the account to a special group with the fine-grained password policy. The account will be forced to change its password at next logon.

Best Practices for use of Service Accounts

Add the "Logon as a service" rights to a user account

  • Open Local Security Policy
  • In the console tree, double-click Local Policies, and then click User Rights Assignments
  • In the details pane, double-click Logon as a service
  • Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Logon as a service right

Add the "Logon as a service" rights to an account for a Group Policy Object (GPO)

  • Make sure your workstation or server is joined to the domain in which your users and GPO's reside
  • Click Start, point to Run, type mmc, and then click OK
  • On the File menu, click Add/Remove Snap-in
  • In Add/Remove Snap-in, click Add, and then, in Add Standalone Snap-in, double-click GPO Editor
  • In Select GPO, click Browse, browse to the GPO that you want to modify, click OK, and then click Finish
  • Click Close, and then click OK
  • In the console tree, click User Rights Assignment
  • In the details pane, double-click Logon as a service
  • If the security setting has not yet been defined, select the Define these policy settings check box
  • Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Logon as a service right

Set "Logon as Batch Job" Policy

  • On the Destination Server, click Start, click All Programs, and then click Administrative Tools
  • In the Adminstrative Tools menu, select Group Policy Management
  • In the Group Policy Management Console tree, click Forest:<servername>, and then click Domains
  • Click the name of your server, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit
  • In the Group Policy Management Editor, click Default Domain Controllers Policy<servername>Policy, expand Computer Configuration, and then click Policies
  • In the Policies tree, expand Windows Setting, and then click Security Settings
  • In the Security Settings tree, expand Local Policies, and then click User Rights Assignment
  • In the results pane, scroll to Logon as Batch Job, and then click Logon as a batch job
  • In the Logon as a batch job Properties dialog box, click Add User or Group
  • In the Add User or Group dialog box, click Browse
  • In the Select Users, Computers, or Groups dialog box, type Administrators
  • Click Check names to verify that the built-in Administrators group appears, and then click OK three times


Keywordscampus active directory ad microsoft service account non interactive password policy logon login application   Doc ID13881
OwnerMST SupportGroupIdentity and Access Management
Created2010-04-25 18:00:00Updated2022-05-12 09:55:03
SitesDoIT Help Desk, Identity and Access Management
Feedback  1   0