Requesting a Service Account

To create a non-interactive service account, follow these directions:

• Create a user object for each service in your department's delegated Organizational Unit. When selecting a name for the user object, please follow the Campus Active Directory Naming Convention https://kb.wisc.edu/page.php?id=30600.
• Make sure the account has at least a 12-character password
• E-mail activedirectory@doit.wisc.edu with the following information:
• Department Code
• Name of the user object
• A Campus Active Directory administrator will add the account to a special group with the fine-grained password policy. The account will be forced to change its password at next logon.

Best Practices for use of Service Accounts

Add the "Logon as a service" rights to a user account

• Open Local Security Policy
• In the console tree, double-click Local Policies, and then click User Rights Assignments
• In the details pane, double-click Logon as a service
• Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Logon as a service right

Add the "Logon as a service" rights to an account for a Group Policy Object (GPO)

• Make sure your workstation or server is joined to the domain in which your users and GPO's reside
• Click Start, point to Run, type mmc, and then click OK
• On the File menu, click Add/Remove Snap-in
• In Add/Remove Snap-in, click Add, and then, in Add Standalone Snap-in, double-click GPO Editor
• In Select GPO, click Browse, browse to the GPO that you want to modify, click OK, and then click Finish
• Click Close, and then click OK
• In the console tree, click User Rights Assignment
• In the details pane, double-click Logon as a service
• If the security setting has not yet been defined, select the Define these policy settings check box
• Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Logon as a service right

Set "Logon as Batch Job" Policy

• On the Destination Server, click Start, click All Programs, and then click Administrative Tools
• In the Adminstrative Tools menu, select Group Policy Management
• In the Group Policy Management Console tree, click Forest:<servername>, and then click Domains
• Click the name of your server, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit
• In the Group Policy Management Editor, click Default Domain Controllers Policy<servername>Policy, expand Computer Configuration, and then click Policies
• In the Policies tree, expand Windows Setting, and then click Security Settings
• In the Security Settings tree, expand Local Policies, and then click User Rights Assignment
• In the results pane, scroll to Logon as Batch Job, and then click Logon as a batch job
• In the Logon as a batch job Properties dialog box, click Add User or Group
• In the Add User or Group dialog box, click Browse
• In the Select Users, Computers, or Groups dialog box, type Administrators
• Click Check names to verify that the built-in Administrators group appears, and then click OK three times